Linux User and Group Management

Users must authenticate to a Linux system before they can use resources or access files on it. The authentication process relies on a user account to represent the person, and this account is protected with a password. Linux grants or denies access to directories and files based on this identity. To make things easier on administrators, users with similar access requirements are placed into groups. Rather than having to grant ten individual users access to a folder, an administrator can place them all in a group and grant access to the group. This article provides commands you can use on a Linux system to manage users and groups. This article on services fits into a larger series of Linux articles covering various sysadmin topics, including hardware identification and managing system processes. You can build a lab environment by following the information in the Linux: Companion Lab for Linux Skill Blocks Repository article. If you need to review Linux command syntax, read Understand the Linux Command Line. In this series, we also covered how to pick a distribution, how the Linux kernel interacts with hardware and how Linux manages system services. Two companion articles follow this one in the weeks to come. The first of those covers managing directories and files. The second demonstrates standard Linux permissions. You can control access to directories and files using permissions applied to the users and groups created in this tutorial.

Manage Users

Managing Linux users from the command line is straightforward. You must know three related commands to create, modify, or delete users, and one command to reset passwords. I’ll provide examples of each of these commands. I suggest you work with the same accounts I do so that the next section (Linux groups) makes sense.

Create a User Account

Creating a new user account is as simple as typing the useraddcommand and a unique username. As with other commands, plenty of options exist to modify the results. Check the useradd man page for examples. Create a user named fsmith (a likely account name for user Fred Smith): Note: It is a poor security practice to log on to a Linux system as the root (administrator) user. Most systems force you to log on as a regular user and then use the sudo (super user do) command to elevate your privileges. You may be prompted for your password when using sudo. You will probably not receive any response from your system, which indicates the command succeeded. Type the following command to confirm the account exists: Linux stores user accounts in a file named passwd in a directory named /etc. The tail command displays the last ten lines of that file — and new user accounts always appear at the end of the file. On most Linux systems, the useradd command automatically creates a home folder for the user. Use the following ls  command to check: You should see a home directory named fsmith. Create another user account, this time adding the comment field using the -c option. You’ll place the user’s full name in the comment field. Use the same `tail` command as above to display the new account. Do you see a section with the user’s full name? You enclosed the user’s full name (Sean Lee) in double quotes due to the space between the first and last name. Normally, Linux would treat those as two values—one called Sean and the other called Lee. By enclosing them in quotes, you tell Linux to treat the two words as a single value—”Sean Lee “. Create a third account for user Maria Garcia using the same command and option as you did for Sean Lee. Don’t forget to check the /etc/passwd file to confirm the account exists.

Modify a User Account

Notice that you did not enter a comment field for Fred Smith’s account containing his full name. Use the usermod command to update the account with the user’s full name: The -c “Fred Smith”  option remains the same but this time you used the usermod command to modify an existing account rather than the useradd command to create a new one. Check the usermod man page to see what other modifications you can make.

Delete a User Account

Now that you can create and modify accounts, it’s time to demonstrate removing accounts from the system. Create an account to delete named sgomez (for Saul Gomez) and confirm it exists in the /etc/passwd file. Delete user accounts using the userdelcommand. If you add the -r  option the system will delete the user’s home directory, too. There are a few other options in the userdel man page.

Set a Password for a User Account

Most Linux distributions don’t prompt you to set a user password during the account creation process. A user cannot log on with an account until it has a password configured. Use the passwd command to set a password: You’ll be prompted to enter the password twice. For now, set a simple password like Pa$$w0rd. Note that there is no indication on the screen that you’re typing a password. Set a password for the slee and mgarcia accounts, too. Use the same process to reset a forgotten password.

Manage Users (summary)

Practice using the three Linux commands for adding, modifying, and deleting user accounts and explore the related options using the man pages. Don’t forget to set passwords for each account using the passwd command.

Manage Groups

Groups are collections of user accounts with similar security requirements. These requirements usually center on directory and file access (permissions). The commands to manage Linux groups are similar to user management commands. In the earlier section, you created several user accounts, perhaps for a mock company. Next, you’ll organize those users into groups based on company departments. Use the groupadd command to create a group named InfoTech : Linux stores groups in the /etc/group file. Use the tail command to display the last few lines of this file. You should see the new InfoTech  group. Create two more groups — one named HR  and the other named PR  to represent the Human Resources and Public Relations departments. Verify they exist in the /etc/group file. The primary modification you might make to a group is renaming it. Use the groupmod command to rename the InfoTech  group to IT : Observe the order of arguments for the groupmod -n  command. Specify the new group name followed by the current group name. The groupdel command deletes groups. Note that deleting a group does not delete any user accounts contained in the group. Create a group named Sales  using the groupadd  command. Confirm it exists in the /etc/group  file. Next, delete the Sales  group using the groupdel  command: Verify the group is gone.

Place Users into Groups

You have now created, modified, and removed users. You’ve done the same for groups. However, you have not yet added a user to a group, which is essential. The following table shows how the users need to be organized. Adding a user to a group modifies the user, so the appropriate command is usermod . You’ll need the -a  and -G  options, too. The syntax to add user fsmith  to the IT  group looks like this: Use the tail  command to display the /etc/group  file. You should see the fsmith  account associated with the IT  group. Add the slee  account to the HR  group and the mgarcia  account to the PR  group. Confirm the memberships by checking the /etc/group  file.

Manage Groups (summary)

Practice using these commands by creating several groups and adding users to them. Review the /etc/group  file to confirm the groups and determine who is a member of each.

Wrap up

Spend some time in your lab environment creating, modifying, and deleting user accounts. Get in the habit of setting passwords for each account you create, too. Create some groups and practice adding users to them. These are daily tasks for Linux administrators and common objectives for Linux certification exams like CompTIA Linux+. Creating users is the first step toward controlling access to Linux files using permissions. The system must know the user’s identity to determine whether the user should be able to access a file. You might find it useful to create a small demo company that contains four/five departments and up to ten employees. Create accounts and groups for this demo organization. Work with these commands until they become second nature!