July Release Confetti
150+ Courses, Challenges, and Learning Activities
Launching in July!
Learn More

Understanding Linux Users and Groups

Introduction

Linux is a multiuser operating system. In a multiuser environment, it is a common administration task to create new users, modify existing users, or remove users. For ease of access management, users are assigned to groups. Creating, deleting, and modifying groups is also another common administration task.

This guide covers the basics of user and group management.

Requirements

To follow this guide, you’ll need access to a Linux or Mac machine. You’ll need some familiarity with using the terminal to execute commands.

If you aren’t familiar with using the terminal, feel free to take advantage of the resources available at Linux Academy to get up to speed. These resources are listed at the end of this guide.

Users

Users of the system may be human users — people who log into the system or they can be system users — used to start non-interactive background services such as databases. From the perspective of the operating system, there is no distinction between human users and system users and all the information is stored in the same file.

However, there is a range of user IDs reserved for human users and another range for system users. To view this range, execute the following command:


me@home:~$ grep UID /etc/login.defs
UID_MIN 1000
UID_MAX 60000
SYS_UID_MIN 100
SYS_UID_MAX 999
/etc/passwd File

The information about users is stored in /etc/passwd file. To view the first line of the file, execute the following command:


me@home:~$ head -1 /etc/passwd
root:x:0:0:root:/root:/bin/bash

The first root is the username.

The character x is used as a placeholder for password.

0 is the user ID for this user.

0 is the group ID for this user.

The next root is a comment about this user.

/root is the home directory for this user.

And finally /bin/bash is the shell for this user.


Adding Users

You can add new users with useradd command. The very minimum needed by the useradd command is a username. However, you’ll generally need more than just a username. Execute the following commands to create a user named john:


me@home:~$ useradd -c “John from Accounts” -m -s /bin/bash john

The -c flag adds a comment in the /etc/passwd file for this account.

-m automatically creates the home directory for this user under /home with the same name as the username i.e. /home/john

-s assigns the shell for the user.

To see the entry created for this new user, execute the following command:


me@home:~$ grep john /etc/passwd
john:x:1001:1001:John from Accounts:/home/john:/bin/bash

The user john has been assigned the user ID 1001 and the group ID 1001. You can manually specify the user ID using the -u flag followed by the user ID. When this is not specified, the first available user ID is chosen. If the group name is not assigned using the -g flag, a group is created with the same name and ID as the user and is made the primary group of the user. Note that the user has not been assigned a password yet.

The following  paragraph summarizes some of the flags that can be used with useradd:


-c Adds a comment. -c “John from Accounts”

-d Specifies home directory for the user. Use this if the name of the home directory is different from the username. -d /home/accounts/john

-e Specifies the expiration date for the account in YYYY-MM-DD format. -e 2017-01-01

-g Specifies the primary group of the user. The group must already exist in the /etc/group file. -g accounts

-G Specifies the additional groups to which the user belongs. -G employees

-k Specifies the skeleton directory. The contents from the skeleton directory are copied into the user’s home directory. This flag can only be used in conjunction with the -m flag. The default skeleton directory is /etc/skel. -k /skelton/accounts

-p Specifies the password to be associated with this account. This must be an encrypted password. You can assign the password later using passwd command. -p hashed_password

-s Specifies the shell to be associated with this account. -s /bin/bash

-u Specifies the user ID to be used with this account. Without -u flag, the first available user ID will be assigned. -u 1005

Setting a Password

The newly made account has no password. The passwd command is used to add a password to the account. Execute the following command:


me@home:~$ sudo passwd john
[sudo] password for me:
Enter new UNIX password:
Retype new Unix Password:
passwd: password updated successfully
Modifying Users

The usermod command is used to modify any existing user account. Suppose we want to change the username of john to johnny, here’s how we’d do it:


me@home:~$ sudo usermod -l johnny john
[sudo] password for me:
me@home:~$ grep john /etc/passwd
johnny:x:1001:1001:John from Accounts:/home/john:/bin/bash

Notice that the username has changed but the home directory is still the same. Let’s change the home directory. Execute the following command:


me@home:~$ sudo usermod -m -d /home/johnny johnny
[sudo] password for me:
me@home:~$

If you were to now look at the entry in /etc/passwd, you’d notice that the home directory has been changed. The -d flag specifies the new home directory and the -m flag copies the contents over from the old home directory to the new one.

You can even lock and unlock the account by using the -L and -U flags respectively. Execute the following command to lock the account:


me@home:~$ sudo usermod -L johnny
[sudo] password for me:
me@home:~$ sudo grep johnny /etc/shadow
johnny:!$6$mC3IOEDs$TMWBP2IJfxgDHKjW6cxFk80BY9aqFThvN8MfED/P
JnVqI.mB7Ddtqn35VM5Q4Rm4l8bNIsOd3PXhRktJPwMlc0:16479:17104:0:99999:7:::

Because the user account has been locked, there is an exclamation mark before the hash of the password. To unlock the account, execute the following:


me@home:~$ sudo usermod -U johnny
[sudo] password for me:
me@home:~$

You can change the primary group of the user using the -g flag. Suppose John has moved from accounts to HR. To update the primary group, execute the following:


me@home:~$ sudo usermod -g hr johnny
[sudo] password for me:
me@home:~$

Similarly, you can add the user to more groups using the -Ga flag. If you want to replace the additional groups the user was a part of, instead of adding new groups, use the -G flag. To add the user johnny to manager group, execute the following:


me@home:~$ sudo usermod -Ga manager johnny
[sudo] password for me:
me@home:~$

You can change the user ID of the user using the -u flag. Execute the following command to change the user ID of the user johnny.


me@home:~$ sudo usermod -u 3000 johnny
[sudo] password for me:
me@home:~$

The paragraph below summarizes some of the flags that can be used with usermod command.


-c Changes the username associated with the account. -c johnny

-d Changes the home directory associated with the account. -c /home/johnny

-e Changes the expiration date associated with the account. Must be written in YYYY-MM-DD format. -e 2018-01-01

-g Changes the primary group for the account. -g employee

-G Changes the additional groups the user is part of. If you want to add the user to more groups, use the -Ga flag. Using -G will replace the existing list of groups.

-m Specifies that the contents of the old home directory should be copied over to the new one. Can only used with -d flag.

Deleting Users

userdel command is used to delete users. Here’s how you’d delete the user johnny.

me@home:~$ sudo userdel --remove-all-files johnny
[sudo] password for me:
me@home:~$

This not only deletes the user but also removes all the files that belong to the user including those that are outside the home directory.


Groups

Groups are a collection of users. Assigning users to groups makes it easier to manage permissions. For example, you can set permissions to ensure that files are accessible to people in a particular group like accounts, hr, etc.

Whenever a user is created, by default, they are added to a new group with the same name as the username. This is called the primary group of the user. A user john would be added to a group named john.

Akin to users, a range of IDs is reserved for regular groups and system groups. You can view this range by executing the command below:


me@home:~$ grep GID /etc/login.defs
GID_MIN 1000
GID_MAX 60000
SYS_GID_MIN 100
SYS_GID_MAX 999


/etc/group File

Information about group is stored in the /etc/group file. 


me@home:~$ grep $(whoami) /etc/group
adm:x:4:syslog,me
cdrom:x:24:me


The first part is the name of the group.

x is a placeholder for password.

The next part is the group ID.

The last part is a comma-separated list of usernames that belong to that group.

Adding Groups

groupadd command is used to create a new group. To create a group, execute the following command:

me@home:~$ sudo groupadd manager
[sudo] password for me:
me@home:~$

This creates a new group named manager and assigns a group ID to it. With the -g flag, you can manually assign a group ID to it. Once a group has been created, you can assign it to a user using the usermod command.

Modifying Groups

groupmod command is used to modify an existing group. Here’s how you’d modify the ID of the group:


me@home:~$ sudo groupmod -g 300 manager
[sudo] password for me:
me@home:~$

You can change the name of the group as follows:


me@home:~$ sudo groupmod -n managers manager
[sudo] password for me:
me@home:~$

Deleting Groups

groupdel command is used to delete a group. Here’s how you’d delete the managers group:


me@home:~$ sudo groupdel managers
[sudo] password for me:
me@home:~$
Managing Groups with gpasswd

gpasswd command can be used to add users to a group, remove them, and set admins for the group.

To add a user to a group, execute the following command:

me@home:~$ sudo gpasswd -a john manager
[sudo] password for me:
me@home:~$

To add multiple users to a group, execute the following command:


me@home:~$ sudo gpasswd -M john,jane manager
[sudo] password for me:
me@home:~$

To remove a user from a group, execute the following command:


me@home:~$ sudo gpasswd -d john manager
[sudo] password for me:
me@home:~$

To make the user an admin to the group, execute the following command:


me@home:~$ sudo gpasswd -A jane manager
[sudo] password for me:
me@home:~$

This brings us to the end of the guide on managing users and groups in Linux. The following section lists the resources available on Linux Academy that will help you with this guide.


Additional Resources

If you are new to the Linux operating system, take a look at the Linux Essentials course available at Linux Academy. The course will give you a basic understanding of Linux and give you a gentle introduction to the command line.

https://linuxacademy.com/cp/modules/view/id/38

If you’d like to master the terminal, have a look at Mastering Linux Command Line:

https://linuxacademy.com/cp/modules/view/id/10

To take your skills to the expert level, take a look at Linux by Example from Novice to Pros:

https://linuxacademy.com/cp/modules/view/id/19


Linux Academy provides a large library of in-depth online Linux training, and they also give access to many other online courses in topics like AWS, DevOps, Azure, OpenStack, and Big Data.


  • post-author-pic
    Johnny J
    11-30-2016

     @fasihxkhatib: Nice guide!

  • post-author-pic
    Sean G
    11-30-2016

    Approved! Well done.

  • post-author-pic
    James M
    11-30-2016

    Fantastic!

  • post-author-pic
    Thy L
    05-06-2017

    Never tired to read this guid, it very useful, thank you so much for sharing. 

  • post-author-pic
    Adam C
    05-10-2017

    Would be nice if you explained a little history as to why there is an "x" for password in /etc/passwd, perhaps go into small detail (just a sentence) that this is where users' hashed passwords used to be stored.

  • post-author-pic
    Ronald G
    05-27-2017

    Nice tutorial very clean. 

  • post-author-pic
    Soe W
    01-06-2018

    short and detail Thanks

Looking For Team Training?

Learn More