In this course, you'll learn how to manage users and groups. You'll learn where user and group information is stored on a Linux system, and you'll learn how to add, delete, and modify accounts and groups. This course is part of the Linux Administration Bootcamp learning path, designed to get you up and running with Linux.
- Anyone with basic knowledge of Linux who wants to learn more
- Professionals who want to learn more about Linux to enhance their career prospects
This is an intermediate-level course so some knowledge of Linux is expected. If you're just starting out, then try our Linux Fundamentals course first.
In this lesson, you'll learn how to manage users and groups. You'll learn where user and group information is stored at on a Linux system. And you'll learn how to add, delete, and modify accounts and groups. Linux is a multi-user operating system. Not only can multiple accounts exist on the system, but those accounts can be used at the same time. Each account consists of a username and a unique number called the UID, short for user ID. Also, each account has a default group to which it belongs. Some comments associated with that account, are shell to execute when the user logs into the system, and a home directory.
All this information is stored in the Etc password file. The first entry in the Etc password file is the root account. The password file contains different fields of information, each separated by a colon. The first field contains the username. The next field contains the password. Next, you'll find the user ID. Next, is the default group ID. Next, you'll find comments. The sixth field in the password file is the location of the account's home directory. And the last field in the password file is the shell to execute when that user logs into the system.
In the example of the root account, you can see that the username is root, and the password field there is an X. This actually means that the encrypted password is stored in the Etc shadow file. And we'll be talking about the shadow file in just a moment. The user ID for the root account is zero. The default group ID for the root account is also zero. The comment for the root account is simply the word, root. And you can see that the home directory is /route. The shell associated with the root account is bash.
Let's look at another entry in the Etc password file. This is for the Joe account. In this case, the username is Joe. Like the root account the password field contains an X. The user ID or UID is 1000. The group ID is also 1000. The comment, in this case, is the full name of the person that's using the account, which is Joe Henderson. The home directory is /home/Joe. And this shell is /bin/bash. Even though Linux supports usernames up to 32 characters in length, it's customary to keep usernames to eight or fewer characters. When using usernames longer than eight characters you will run into some situations where the UID is displayed in place of the username. For example, when looking at the output of the PS command.
Also know that usernames are case sensitive. Even though uppercase letters are allowed in usernames, by convention, usernames are in all lowercase letters. Digits are also allowed in usernames but avoid using special characters. Historically encrypted password information was stored in the Etc password file following the username. However, the Etc password file is readable by anyone on the system. So storing password information, even encrypted, is a security risk.
Now, by default, the encrypted password information is stored in Etc's shadow, which is only readable by the superuser account. The UID is a unique number. The root account is always UID 0. Accounts meant to be used by the system typically have UIDs lower than 1000. This is configurable, however, by updating the etc/login.defs file. The group ID or GID listed in the password file entry for the account is the accounts default group. When a user creates a file, that file will belong to the user's default group.
If a user wants to create files using another group they can use the new group command to change to a new group before creating the files. The comment field typically contains the user's real name or description of what the account is used for. You'll sometimes hear this field referred to as the GECOS field. This is a historical holdover from the early years of Unix. When a user logs into the system, they are placed into their home directory listed in the password file. If this directory does not exist, they will be placed into the root directory. The shell will be executed when the user logs into the system with their account.
You can see a list of installed shells on your Linux system by looking at the etc/shells file. Whatever is listed in the shell field will be executed upon log in, even if the program is not actually a shell. For example, you may see /usr/sbin/nologin or /bin/false in the shell field for certain accounts. This ensures that no one can use those accounts interactively. You can also use the shelf field to execute a program when a user logs into the system.
For example, you could force users into a menu driven application that only allows them access to certain actions. Like the Etc password file, the Etc shadow file contains a series of fields separated by a colon. The first field is the username. The second field contains the encrypted password. The third field is the number of days since January 1st, 1970 since the password has been changed. The fourth filled is the number of days before the password can be changed. The fifth field is the number of days after which the password must be changed. If this field contains 99999, the user never has to change their password. The sixth field is the number of days to warn the user that their password will expire. The seventh field is the number of days after the password has expired that the account is disabled. The eighth field is the number of days since January 1st, 1970 that an account has been disabled. The ninth field is reserved for future use.
Now that you know where account information is stored, let's create an account using the useradd command. Any accounts require superuser privileges. So make sure that you're using the root account or a pseudo. The format of the user command is useradd, followed by options, and finally, the username. The most commonly used options for the useradd command include -c followed by a comment, - m to create a user's home directory, - s to provide the path to the user shell.
In this example, an account is created for Grant Stewart. His username is Grant and his shell is bash. Now let's assign the account a password. To do this, use the PASSWD command followed by the username. You'll be prompted to enter a password for the user and to confirm that password. Here's the entry for the account in the Etc password file and the Etc shadow file. In this example, Grant's UID is 1000. His GID is also 1000. His home directory is /home/grant and his shell is /bin/bash. Other options for the useradd command include the following: - g to specify default group for the account, - G followed by a list of groups. This adds the account to those additional groups.
Let's create an account for Eddie Harris. His login will be eharris and his default group will be sales. We will also make him a member of the project X group as well. Not every account on a Linux system is meant to be used by a person. Some accounts exist to run applications or perform system functions. Some common examples of this include accounts that run web server processes, database processes, or some other application processes.
Let's create an account that will be used to run the Apache Web Server process. You'll notice that the shell was set to usr/sbin/nologin. This is because we don't want someone to be able to log into the system, using the account. We also use the -r option, which instructs useradd to create a system account. Effectively, this means that the account will receive a UID in the system account range as defined in Etc/login.defs. In this example, the user received UID 999. The home directory was specified using the -d option.
By default, the home directory for a new account is created in the /home directory. The actual directory will be the name of the user account. So by default, the Apache account's home directory would be /home/apache. However, since this account is used by an application, we set the home directory to the directory where the application is installed. Notice that the -m option was not used in this case. When using the -m option, the contents of the skeleton directory, /etc/skel, are copied into the user's home directory. The contents of /etc/skel/ usually include shell configuration files, which are not needed for application accounts in many instances.
Here are the new options we used to create this account; - r to create a system account, - d to specify a path to the home directory. It's a common practice to use the same UID for an account across multiple systems. This makes syncing data or sharing data easier to do as Linux uses UIDs to determine a file's ownership. The account name is really for the sake of us humans. Let's use the -u option to specify a UID when creating an account. In this example, we're creating an account to be used with MySQL server. We're specifying a UID of 97, by using -u 97 on the command line.
After we create the account, you can see that the UID is indeed 97 in the Etc password file. To delete an account, use the userdel command followed by the username. If you want to delete the account's home directory, use the -r option. It also removes the user's mail spool file if it exists. In this example, we'll delete the eharris' account but leave his home directory intact, since there are some files in there we want to use later. We'll also delete the Grant account and remove his home directory.
To update or modify an existing account, use the user mod command. Here are the most commonly used options to the user mod command. You can use -c followed by a comment to change the comment associated with an account. You can change the primary group by specifying -g followed by the group name. If you want to change the additional groups the account belongs to, use capital G followed by a list of groups separated by commas. To change the account's shell use -s followed by a path to that shell. Here's an example where we update the comment associated with a MySQL account. After we run the usermod command, we can see that the change takes effect in the Etc password file.
Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.