Managing Users and Groups
- Understanding User and Group Management: Learn how to create, modify, and delete user accounts and groups on a Linux system using essential tools like
useradd
,userdel
,groupadd
, andgroupdel
. - Working with System Files: Gain familiarity with critical system files like /etc/passwd, /etc/shadow, and /etc/group, and understand how user, password, and group information is stored and managed.
- Customizing User Account Settings: Modify default settings for new user accounts by editing configuration files such as /etc/skel and /etc/adduser.conf, allowing for customization of new user environments.
- Password and Account Security: Develop skills in securing user accounts by setting password expiration policies and managing password lifetimes through the /etc/shadow file and commands like
passwd
andchage
. - Group-Based Permissions and Shared Resources: Learn to create and manage groups, assign users to groups, and configure shared directories with appropriate permissions to facilitate collaborative work among users.
- File Permissions and Directory Management: Understand how to change ownership and permissions of directories using tools like
chmod
andchgrp
to control access based on user and group roles. - Practical User Management Tools: Apply hands-on experience using
utilities such as
gpasswd
,su
,sudo
, andnano
to manage users and groups, edit system files, and adjust account settings on a Linux system.
Getting Started
If you're like me, you have user accounts everywhere. I have accounts on my phone and my laptop. I have a Google account, a GitHub account, an account at my public library, an account at Costco. I have a university account that let's me use the same login across multiple university systems, including email and our learning management systems. I have a lot of user accounts, like you probably do.
For many of those accounts, I have access to some things and not to others. For my university, I can submit grades to the registrar for my classes, but I can't submit grades to the registrar for my colleagues' classes. Lots of professors serve on lots of committees. I can access files for the committees I'm a member of, but not for those where I'm not a member. However, various administrators, like my unit director, can access all those files.
In order to define what a user can do with their account, systems implement authentication and authorization mechanisms. Authentication and authorization are fundamental concepts in system security and resource management, and they serve distinct but connected purposes. Authentication is the process of verifying a user's identity. When I attempt to login to my university system, it asks, "who are you?", and I reply with my credentials, which are my username and password.
Authorization determines what an authenticated user is allowed to do. Once I am authenticated on my university system, it asks, "what can you do?" Then the system checks various permissions to allow certain actions and not others or access to certain resources and not others.
These basic concepts are true across all operating systems and services. How these concepts are implemented vary, though. In this section, we will learn about the commands that we use to authenticate and authorize users on a Linux server.
The man
pages
Before we begin, you need to know about the man
pages.
The man
(short for manual) pages are internal documentation on just about every part of your system.
You can read the manual for the commands on your system and for many of the special files on your system.
For example, you can read the manual on the ls
command with man ls
.
Or you can read the manual on the chmod
command with man chmod
.
You can also read the manual on the manual, which you'd invoke with the man man
command.
Much of what I know about the commands in this book, I learned from their man
pages, such as:
man date
man glob
man grep
man bash
man regex
- and more!
The man
pages are categorized by sections, which are explained in the man man
page.
Each section is denoted by a number.
The first section, denoted by the number 1, contain man
pages on executable programs or shell commands.
The fifth section, denoted by the number 5, contain man
pages on file formats and conventions.
There are nine total sections.
In the case where a command and a system file each have the same name, then we need to specify the section number when invoking man
for those pages.
For example, use man 1 crontab
to read the man
page for the crontab
executable, which is located at /usr/bin/crontab
.
Use man 5 crontab
to read the man
page for the crontab file, which is locate at /etc/crontab
.
You can make the man
pages easier to read by installing an additional program called bat
.
The bat
program is a drop-in replacement for the cat
command but comes with syntax highlighting and more.
To install bat
, do:
sudo apt install bat
Then use nano
to open your $HOME/.bashrc
file:
nano $HOME/.bashrc
And add the following line at the end, which will add some color to the man
pages:
export MANPAGER="sh -c 'col -bx | batcat -l man -p'"
Once you've closed and saved your $HOME/.bashrc
file, you need to source it:
source $HOME/.bashrc
Additionally, since bat
is a drop-in replacement for the cat
command, you can also use it to view or concatenate files.
The full command is batcat [FILE]
, where [FILE] is the name of the file or files to view.
The passwd file
On every system there will be some place where information about users is stored.
On a Linux system, user account information is stored in the file /etc/passwd
.
You should take a moment to read about this file in its man
page.
However, if you run man passwd
, you will by default get the man
page on the /usr/bin/passwd
command.
We want to read about the passwd file located at /etc/passwd
:
man 5 passwd
Let's take a look at a single line of the file. Below I show the output for a fictional user account:
grep "peter" /etc/passwd
And the output:
peter:x:1000:1000:peter,,,:/home/peter:/bin/bash
Per the man 5 passwd
page, we know that the line starting with peter is a colon separated line.
That means that the line is composed of multiple fields each separated by a colon (which is perfect for awk
to parse).
man 5 passwd
tells us what each field indicates.
The first field is the login name, which in this case is peter.
The second field, marked x, marks the password field.
This file does not contain the password, though.
The passwords, which are hashed and salted, for users are stored in the /etc/shadow file.
This file can only be read by the root user (or using the sudo
command).
Hashing a file or a string of text is a process of running a hashing algorithm on the file or text. If the file or string is copied exactly, byte for byte, then hashing the copy will return the same value. If anything has changed about the file or string, then the hash value will be different. By implication, this means that if two users on a system use the same password, then the hash of each will be equivalent. Salting a hashed file (or file name) or string of text is a process of adding random data to the file or string. Each password will have a unique and mostly random salt added to it. This means that even if two users on a system use the same password, salting their passwords will result in unique values.
The third column indicates the user's numerical ID, and the fourth column indicates the users' group ID.
The fifth column repeats the login name, but could also serve as a comment field.
Comments are added using certain commands (discussed later).
The fifth field identifies the user's home directory, which is /home/peter.
The sixth field identifies the user's default shell, which is /bin/bash
.
The user name or comment field merely repeats the login name here, but it can hold specific types of information.
We can add comments using the chfn
command.
Comments include the user's full name, their home and work phone numbers, their office or room number, and so forth.
To add a full name to user peter's account, we use the -f option:
sudo chfn -f "peter Burns" peter
The /etc/passwd file is a standard Linux file, but data in the file will change depending on the Linux distribution.
For example, the user and group IDs above start at 1000 because peter is the first human account on the system.
This is a common starting numerical ID nowadays, but it could be different on other Linux or Unix-like distributions.
The home directory could be different on other systems, too;
for example, the default could be located at /usr/home/peter.
Also, other shells exist besides bash
, like zsh, which is now the default shell on macOS;
so other systems may default to different shell environments.
The shadow file
The /etc/passwd file does not contain any passwords but a simple x to mark the password field.
Passwords on Linux are stored in /etc/shadow and are hashed with sha512, which is indicated by $6$.
You need to be root to examine the shadow file or use sudo
:
The fields are (see man 5 shadow
):
- login name (username)
- encrypted password
- days since 1/1/1970 since password was last changed
- days after which password must be changed
- minimum password age
- maximum password age
- password warning period
- password inactivity period
- account expiration date
- a reserved field
The /etc/shadow file should not be edited directly.
To set, for example, a warning that a user's password will expire, we could use the passwd
command (see man passwd
for options),
or the chage
command.
The following command would make it so the user peter is warned that their password will expire in 14 days:
passwd -w 14 peter
The group file
The /etc/group file holds group information about the entire system (see man 5 group
).
By default the file can be viewed by anyone on a system, but there is also a groups
command that will return the groups for a user.
See: man groups
Running the groups
command by itself will return your own memberships.
Management Tools
There are different ways to create new users and groups, and the following list includes most of the utilities to help with this. Note that, based on the names of the utilities, some of them are repetitive.
- useradd (8) - create a new user or update default new user information
- usermod (8) - modify a user account
- userdel (8) - delete a user account and related files
- groupadd (8) - create a new group
- groupdel (8) - delete a group
- groupmod (8) - modify a group definition on the system
- gpasswd (1) - administer /etc/group and /etc/gshadow
- adduser.conf (5) - configuration file for adduser(8) and addgroup(8) .
- adduser (8) - add a user or group to the system
- deluser (8) - remove a user or group from the system
- delgroup (8) - remove a user or group from the system
- chgrp (1) - change group ownership
The numbers within parentheses above indicate the man
section.
Therefore, to view the man page for the userdel
command:
man 8 userdel
Authentication
Modify default new user settings
Let's modify some default user account settings for new users, and then we'll create a new user account.
Before we proceed, let's review some important configurations that establish some default settings:
- /etc/skel
- /etc/adduser.conf
The /etc/skel directory defines the home directory for new users. Whatever files or directories exist in this directory at the time a new user account is created will result in those files and directories being created in the new user's home directory. We can view what those are using the following command:
ls -a /etc/skel/
The /etc/adduser.conf file defines the default parameters for new users.
It's in this file where the default starting user and group IDs are set,
where the default home directory is located (e.g., in /home/),
where the default shell is defined (e.g., /bin/bash
),
where the default permissions are set for new home user directories (e.g., 0755) and more.
Let's change some defaults for /etc/skel.
We need to use sudo [command]
since this directory and its contents are owned by the root
user.
First, we'll edit the default .bashrc file:
sudo nano /etc/skel/.bashrc
We want to add the following lines at the end of the file.
This file is a configuration file for /bin/bash
, and will be interpreted by Bash.
Lines starting with a hash mark are comments:
# Dear New User,
#
# I have made the following settings
# to make your life a bit easier:
#
# make "c" a shortcut for "clear"
alias c='clear'
Save and exit the file.
Use nano
again to create a README file.
This file will be added to the home directories of all new users.
Add any welcome message you want to add, plus any guidelines for using the system.
Then save and exit the file.
sudo nano /etc/skel/README
Add new user account
After writing (saving) and exiting nano
, we can go ahead and create a new user named linus.
sudo adduser linus
We'll be prompted to enter a password for the new user, plus comments (full name, phone number, etc).
Any of these can be skipped by pressing enter.
You can see from the output of the grep
command below that I added some extra information:
grep "linus" /etc/passwd
linus:x:1003:1004:Linus Torvalds,333,555-123-4567,:/home/linus:/bin/bash
We may want to set up some password conditions to help keep the new user account secure.
To do that, we can modify the minimum days before the password can be changed, the maximum days before the password expires,
the number of days before the user gets a warning to change their password, and the number of days of inactivity when the password is locked.
The passwd
command can set some of these parameters, but the chage
command is a bit more powerful:
sudo chage -m 7 -M 90 -W 14 -I 14 linus
See man chage
for details, but:
-m 7
sets the minimum password age to 7 days before the user can change their password.-M 90
sets the maximum age of the password to 90 days.-W 14
provides a 14 day warning to the user that the password will expire.-I 14
locks the account after 14 days of inactivity.
You can see these values by grepping the shadow file:
sudo grep "linus" /etc/shadow
To log in as the new user, use the su
command and enter the password you used when creating the account:
su linus
To exit the new user's account, use the exit
command:
exit
As a sysadmin, you will want to regularly review and audit the /etc/passwd
and the /etc/shadow
files to ensure only
authorized users have access to the system.
Before proceeding, repeat the above process for a user named peter, or use a different username and adjust as necessary as you proceed.
Authorization
Let's say we've created our users and now we want to give them access to some additional resources. For example, we can set up a shared directory on the system that multiple users can access and use. To do that, we will begin to work with groups and file/directory permissions.
Add users to a new group
Because of the default configuration defined in /etc/adduser.conf, the linus user only belongs to a group of the same name.
Let's create a new group that both linus and peter belong to.
We'll call this developers.
Then we'll add both peter and linus to that group.
For that, we'll use the gpasswd -a
command and option.
We'll also make the user peter the group administrator using the -A
option (see man gpasswd
for more details).
sudo groupadd developers
sudo gpasswd -a peter developers
sudo gpasswd -a linus developers
sudo gpasswd -A peter developers
grep "developers" /etc/group
Note: if a user is logged in when you add them to a group, they need to logout and log back in before the group membership goes into effect.
Create a shared directory
One of the benefits of group membership is that members can work in a shared directory.
Let's make the /srv/developers a shared directory. The /srv directory already exists, so we only need to create the developers subdirectory:
sudo mkdir /srv/developers
Now we change ownership of the directory so that it's group owned by the developers group that we created:
sudo chgrp developers /srv/developers
The directory ownership should now reflect that it's owned by the developers group:
ls -ld /srv/developers
The default permissions are currently set to 0755.
To allow group members to read and write to the above directory, we need to use the chmod
command in a way we haven't yet.
Specifically, we add a leading 2 that sets the group identity.
The 770 indicates that the user and group owners of the directory (but not others) have read, write, and execute permissions for the directory:
sudo chmod 2770 /srv/developers
This first digit, the 2 above, is the setgid (set group ID) bit.
Setting this ensures that any files or subdirectories created within /srv/developers
inherit the group ownership of the parent directory.
In this case, that's the developers group.
This is useful for group collaboration.
By setting this, either linus or peter can add, modify, and delete files in the /srv/developers directory.
User account and group deletion
You can keep the additional user and group on your system, but know that you can also remove them.
The deluser
and delgroup
commands offer great options and may be preferable to the others utilities (see man deluser
or man delgroup
).
If we want to delete the new user's account and the new group, these are the commands to use. The first command will create an archival backup of linus' home directory and also remove the home directory and any files in it.
deluser --backup --remove-home linus
delgroup developers
Conclusion
Knowing how to manage user accounts and manage passwords are key sysadmin skills. They are needed to provide collaborative environments and to keep our systems secure through authentication and authorization. While the methods to manage these things vary by operating system, the basic concepts are the same across OSes and services.
Although the basic concepts hold true across systems, things get a bit more complex for enterprise systems. On enterprise systems running Windows, Active Directory (AD) is used for both authentication and authorization. On enterprise systems running Linux, the Lightweight Directory Access Protocol (LDAP) system is used to store and manage user credentials. LDAP can be integrated with AD to enable Linux systems to use AD for centralized user management. Other technologies exist that facilitate user and resource management. They include:
In this section, we learned about important user management files like /etc/passwd
, /etc/shadow
, /etc/group
, /etc/skel
, and /etc/adduser.conf
.
We continued to use nano
to edit new configuration files, specifically /etc/skel
and /etc/adduser.conf
.
We dove deeper into exploring how the man
pages work.
We also learned how to create new Linux user accounts, modify those accounts password parameters, assign those accounts to groups, and create
a share directory for those accounts for collaboration.
We covered the following new commands:
adduser
: add a user or group to the systemchage
: change user password expiry informationchfn
: change real user name and informationchgrp
: change group ownershipdelgroup
: remove a user or group from the systemdeluser
: remove a user or group from the systemgpasswd
: administer/etc/group
and/etc/gshadow
groupadd
: create a new grouppasswd
: the password filesu
: run a command with substitute user and group ID