User and Group Management

This guide covers user and group management in Linux systems, including creation, modification, and security.

👤 User Management

User types

Type

Description

Example

user account

Normal user

username

root

Superuser

root

system account

System user

daemon, ssh

service account

Service user

nginx, mysql

User Information

# View user information
id username               # Show user ID and groups
whoami                   # Show current username
who                      # Show logged in users
w                        # Show who is logged in and what they're doing
last                     # Show last logins
lastlog                  # Show last login for all users

User Creation and Modification

-c - Custom comments
-d - Home directory
-e - Expiration date
-g - Group GID
-l - Do not add the user to the lastlog and faillog databases
-m - Create the user's home directory
-M - Do not create the user's home directory
-N - Do not create a group with the same name as the user
-o - Allow to create users with duplicate (non-unique) UID
-p - Encrypted password of the new account
-r - Create a system account
-R - Directory to chroot into
-P - Prefix directory where are located the /etc/* files
-s - Login shell of the new account
-u - User ID of the new account
-U - Create a group with the same name as the user
-Z - Use a specific SEUSER for the SELinux user mapping

# Create user
useradd username                 # Basic user creation
useradd -m -s /bin/bash username # Create with home dir and shell
adduser username                # Interactive user creation

# Modify user
usermod -aG groupname username  # Add user to group
usermod -s /bin/bash username   # Change shell
usermod -L username            # Lock account
usermod -U username            # Unlock account

# Delete user
userdel username               # Delete user
userdel -r username           # Delete user and home directory

Password Management

# Set/change password
passwd username                # Set password
passwd -l username            # Lock password
passwd -u username            # Unlock password
passwd -e username            # Expire password

# Password policies
chage -l username            # View password aging
chage -M 90 username         # Set maximum password age
chage -d 0 username          # Force password change

👥 Group Management

Group Information

# View groups
groups username              # Show user's groups
getent group                # List all groups
getent group groupname      # Show group details
cat /etc/group              # View group file

Group Creation and Modification

# Create group
groupadd groupname          # Create new group
groupadd -g 1000 groupname # Create with specific GID

# Modify group
groupmod -n newname oldname # Rename group
groupmod -g 1001 groupname # Change GID

# Delete group
groupdel groupname         # Delete group

Group Membership

# Modify members
gpasswd -a username groupname # Add user to group
gpasswd -d username groupname # Remove from group
gpasswd -A username groupname # Set group administrator

🔐 User Security

Account Security

# Account locking
passwd -l username         # Lock account
passwd -u username         # Unlock account

# Account expiration
usermod -e 2024-12-31 username # Set expiration date
usermod -e "" username         # Remove expiration

# Login restrictions
/etc/nologin              # Prevent non-root logins
/etc/security/limits.conf # Set resource limits

Sudo Configuration

# Edit sudo configuration
visudo                    # Edit sudoers file

# Common sudo entries
username ALL=(ALL) ALL    # Full sudo access
username ALL=(ALL) NOPASSWD: ALL # No password
%groupname ALL=(ALL) ALL  # Group sudo access

📁 Home Directory Management

Home Directory Operations

# Create home directory
mkhomedir_helper username  # Create home directory
cp -r /etc/skel /home/username # Copy skeleton files

# Fix permissions
chown -R username:group /home/username
chmod 700 /home/username

User Files

# Important user files
/etc/passwd              # User account information
/etc/shadow              # Encrypted passwords
/etc/group               # Group information
/etc/gshadow            # Group passwords
/etc/skel/              # Skeleton directory

🔍 System Users and Groups

System Accounts

# Create system user
useradd -r username      # Create system user
useradd -r -s /sbin/nologin username # No login shell

# System groups
groupadd -r groupname    # Create system group

Special Users

# Root user
sudo su -                # Switch to root
sudo -i                  # Interactive root shell

# Service accounts
useradd -r -s /sbin/nologin webserver

💡 Best Practices

Security
- Use strong passwords
- Regular password changes
- Limit sudo access
- Audit user accounts
Management
- Document user creation
- Regular account review
- Remove unused accounts
- Standardize naming
Permissions
- Use least privilege
- Regular permission audit
- Secure home directories
- Group-based access

🛠️ Advanced Configuration

PAM Configuration

# PAM configuration files
/etc/pam.d/              # PAM configuration directory
/etc/security/           # Security policies

# Common PAM modules
pam_unix.so              # Unix authentication
pam_limits.so            # Resource limits
pam_access.so           # Access control

# Login settings
/etc/login.defs         # Login policy settings
/etc/shells            # Valid login shells
/etc/security/limits.conf # Resource limits

📊 User Monitoring

Activity Monitoring

# Monitor user activity
w                       # Current activity
last                    # Login history
lastlog                 # Last login times
ac                      # Connect time accounting

# Process monitoring
ps -u username         # User processes
top -u username        # Real-time monitoring

Audit Configuration

# Enable user auditing
auditctl -w /etc/passwd -p wa -k user-modify
auditctl -w /etc/group -p wa -k group-modify

# View audit logs
ausearch -k user-modify

🔧 Troubleshooting

Common Issues

# Login issues
tail -f /var/log/auth.log  # Authentication logs
grep username /var/log/secure # Security logs

# Permission issues
ls -l /home/username      # Check home directory
namei -l /home/username   # Check path permissions

Account Recovery

# Password reset
passwd -d username        # Delete password
chroot /mnt passwd username # Reset from live system

# Home directory repair
find /home/username -type f -exec chown username:group {} \;

PreviousShell types NextVI editor

Last updated 1 year ago

Was this helpful?