How to manage users and groups in Linux
User and group management are two must-have skills for every Linux administrator.
"What skills must Linux administrators have?" is way too broad a question for any single article. But there are plenty of general must-have sysadmin skills—and user and group administration are chief among them. Proper user account management enables Linux to enforce access controls (permissions) and audit who does what on the system.
The commands below are written for Red Hat Enterprise Linux (RHEL) and RHEL-like distributions, but the concepts apply to any distribution of Linux. Knowing the skills and commands outlined in this article (and its two follow-up pieces, which dive deeper into user admin and group admin) helps ensure you're ready for the day-to-day user and group administration tasks a sysadmin is called on to do.
Users must authenticate to any system they need to use. This authentication provides access to resources and a customized, user-specific environment. The user's identity is based on their user account. What skills do sysadmins need to manage user accounts?
1. Understand the /etc/passwd file
User account information is stored in the
/etc/passwd file. This information includes the account name, home directory location, and default shell, among other values. Linux sysadmins should be able to recognize these fields.
Each field is separated by a
: character, and not all fields must be populated, but you must delineate them.
Here's an example of the
In this example, the comment field is empty:
Observe how the two colons still exist to delineate the comment field.
Here is an example with the comment field populated:
I'll discuss passwords more below, but expect to see an
x in the password field of this file.
For more information, see:
- Linux sysadmin basics: User account management
- Linux sysadmin basics: User account management with UIDs and GIDs
2. Understand the /etc/shadow file
Long ago, password hashes were stored in the
/etc/passwd file. This file was world-readable, allowing inquisitive users to pull password hashes for other accounts from the file and run them through password-cracking utilities. Eventually, the password hashes were moved to a file readable only by root:
/etc/shadow. Today, the password field in the
/etc/passwd file is marked with an
Administrators should recognize each field in
/etc/shadow. Several of the fields pertain to password requirements.
Here's an example of
username:password:last password change:min:max:warning:inactive:expired
The first two fields identify the user and a hashed version of the password, while the remaining six fields represent password change information. The password information is manipulated with the
Look at these articles for additional details:
- The effects of adding users to a Linux system
- Forcing Linux system password changes with the chage command
3. Create, modify, and delete user accounts
The process for managing user accounts is very straightforward. Sysadmins either add, modify, or delete users, and the related commands are quite intuitive.
The commands to manage user accounts on RHEL and RHEL-like distributions are:
Ken Hess documents these commands in Linux sysadmin basics: User account management. There are many options available to customize the user accounts and their related resources.
My companion article provides specifics about the
[ You might also be interested in downloading the Bash shell scripting cheat sheet. ]
4. Manage password requirements
Many organizations rely on password policies to define appropriate password requirements. Sysadmins can enforce those requirements by using various mechanisms on Linux.
Two common ways of managing password settings are using the
/etc/login.defs file or Pluggable Authentication Module (PAM) settings. Be sure to understand the options, fields, and settings for this important security configuration.
For more detail on password security settings, read:
- Managing Linux users with the passwd command
- Linux security: 8 more system lockdown controls
- How to enhance Linux user security with Pluggable Authentication Module settings
- An introduction to Pluggable Authentication Modules in Linux
It's more efficient to group user accounts with similar access requirements than to manage permissions on a user-by-user basis. Therefore, sysadmins need to be comfortable with the process of creating, modifying, and deleting groups.
[ Practice your Linux skills in the free online course RHEL technical overview. ]
1. Understand the /etc/group file
Similar to the
/etc/passwd file above, the
/etc/group file contains group account information. This information can be essential for troubleshooting, security audits, and ensuring users can access the resources they need.
Understand each field of the file to make life easier as a sysadmin.
The fields in the
/etc/group file are:
Here is an example of the editors group with two members:
Tyler Carrigan's article Managing local group accounts in Linux presents this information nicely.
Linux groups are significantly different from local groups in Windows, so be sure to understand the differences.
2. Create, modify, and delete groups
Like the user account commands described above, the group management commands are very intuitive and provide a lot of flexibility. There is an easy-to-remember command for each function you might need to carry out for a group:
The following articles provide a good overview of working with groups:
- Managing local groups account in Linux
- 3 basic Linux group management commands every sysadmin should know
3. Manage group membership
Adding users to a group simplifies permissions management. Many people find the process a little unintuitive: Adding a user to a group modifies the user, not the group. Therefore, the necessary command is the
Here are some commands to display group information:
usermod: Update group membership
id: Display a list of groups the user is a member of
cat /etc/group: Show a list of existing groups, with membership displayed in the last field
One resource for these commands is their related man pages.
The process for adding users to a group requires the
-G options. Tyler Carrigan's article Managing local group accounts in Linux covers using these options to manipulate group membership.
If these commands and files seem familiar, you can probably manage most basic sysadmin user and group management tasks in RHEL. Otherwise, you now have some great resources right at your fingertips for learning more.
This article explores some legitimate use cases for the sudo command.
How to manage permissions and ownership for users, groups, and all others to resources such as directories and files.
How to use the useradd, usermod, and userdel commands is essential knowledge for Linux administrators.
How to use the groupadd, groupmod, and groupdel commands is essential knowledge for Linux sysadmins.