How to add/remove/modify Linux Users and Groups

This is a guide written to help administering Users and Groups properly in Linux.

User Management

useradd

useradd is a low level utility for adding a new user or update default new user information

When we run ‘useradd‘ command in Linux terminal, it performs following major things:

  • It edits /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow files for the newly created User account.
  • Creates and populate a home directory for the new user.
  • Sets permissions and ownerships to home directory.

1. Basic add a new user

  • sudo useradd vk9security
  • id vk9security

We need to set a password to unlock the user account. As per the command below, ! in /etc/shadow means the account is locked, we use ‘passwd’ to change the user password.

  • sudo cat /etc/shadow
  • sudo passwd vk9security
  • sudo cat /etc/shadow

Extra

To check if the account is locked. P means unlocked, L means Locked

  • passwd -S vk9sec
  • usermod -L vk9sec
  • passwd -S vk9sec

Once, the password is set, we can confirm the creation of the user in /etc/passwd (users file)

  • cat /etc/passwd

Analyzing /etc/passwd 7 fields

Adding users in Linux syntax explanation

  • Username: User login name used to login into system. It should be between 1 to 32 characters long.
  • Password: User password (or x character) stored in /etc/shadow file in encrypted format.
  • User ID (UID): Every user must have a User ID (UID) User Identification Number. By default UID 0 is reserved for root, user and UID’s ranging from 1-99 are reserved for other predefined accounts. Further UID’s ranging from 100-999 are reserved for system accounts and groups.
  • Group ID (GID): The primary Group ID (GID) Group Identification Number stored in /etc/group file.
  • User Info: Description text
  • Home Directory: The absolute location of user’s home directory.
  • Shell: The absolute location of a user’s shell i.e. /bin/bash.

2. Create an user with different home directory

-d = The directory HOME_DIR does not have to exist but will not be created if it is missing.

  • useradd -d /tmp/test vk9security
  • cat /etc/passwd | grep vk9

3. Create a user with a defined UID

-u = The default is to use the smallest ID value greater than or equal to UID_MIN and greater than every other user.

  • useradd -u 1999 vk9security
  • id vk9security

4. Create a user and add it to an existing group

-g = The group name or number of the user's initial login group. The group name must exist.

  • useradd -g 60 vk9security
  • id vk9security

5. Add a user to multiple groups

-G = A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. (name or GID)

  • useradd -G bluetooth,122,www-data vk9security
  • id vk9security

6. Add a user without home directory

-M = Do not create the user's home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes.

  • useradd -M vk9security
  • cat /etc/passwd | grep vk9
  • ls /home/vk9security

7. Create a temporary account

-e = The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.

-f = The number of days after a password expires until the account is permanently disabled.

  • useradd -e 2020-03-08 -f 5 vk9security
  • chage -l vk9security

8. Create the account and leave a comment

-c = Any text string. It is generally a short description of the login

  • useradd -c "This is a test account" vk9security
  • cat /etc/passwd | grep vk9

9. Choose the login shell

-s = The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell specified by the SHELL variable in /etc/default/useradd

/usr/sbin/nologin = add the account without user shell

  • useradd -s /usr/sbin/nologin vk9security
  • cat /etc/passwd | grep vk9

userdel

delete a user account and related files

1. Delete the user account and the user home directory

-r, --remove = Files in the user's home directory will be removed along with the home directory itself and the user's mail spool.

  • userdel -r vk9security

2. Force the removal

-f, --force = This option forces the removal of the user account, even if the user is still logged in.

  • userdel -rf vk9security

usermod

After creating user accounts, in some scenarios where we need to change the attributes of an existing user such as, change user’s home directory, login name, login shell, password expiry date, etc, where in such case ‘usermod’ command is used.

When we execute ‘usermod‘ command in terminal, the following files are used and affected.

  • /etc/passwd – User account information.
  • /etc/shadow – Secure account information.
  • /etc/group – Group account information.
  • /etc/gshadow – Secure group account information.
  • /etc/login.defs – Shadow password suite configuration..

Requirements

  • existing user accounts to execute usermod command.
  • Only superuser (root) is allowed to execute usermod command.

Command options

  • -c = We can add comment field for the useraccount.
  • -d = To modify the directory for any existing user account.
  • -e = Using this option we can make the account expiry in specific period.
  • -g = Change the primary group for a User.
  • -G = To add a supplementary groups.
  • -a = To add anyone of the group to a secondary group.
  • -l = To change the login name from tecmint to tecmint_admin.
  • -L = To lock the user account. This will lock the password so we can’t use the account.
  • -m = moving the contents of the home directory from existing home dir to new dir.
  • -p = To Use un-encrypted password for the new password. (NOT Secured).
  • -s = Create a Specified shell for new accounts.
  • -u = Used to Assigned UID for the user account between 0 to 999.
  • -U = To unlock the user accounts. This will remove the password lock and allow us to use the user account.

1. Add a comment

-c, --comment = The new value of the user's password file comment field.

  • cat /etc/passwd | grep vk9
  • usermod -c "This is a test acc" vk9security
  • cat /etc/passwd | grep vk9

2. Change user home directory

-d, --home = The user's new login directory.

  • cat /etc/passwd | grep vk9
  • usermod -d /tmp/test vk9security
  • cat /etc/passwd | grep vk9

3. Set account expiration

-e, --expiredate = The date on which the user account will be disabled. The date is specified in the format YYYY-MM-DD.

  • chage -l vk9security
  • usermod -e 2020-03-09 vk9security
  • chage -l vk9security

4. Change user primary group

-g, --gid = The group name or number of the user's new initial login group. The group must exist.

  • id vk9security
  • usermod -g www-data vk9security
  • id vk9security

5. Adding an existing user to other groups

-G, --groups = A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace.

  • id vk9security
  • usermod -G bluetooth,vk9security vk9security
  • id vk9security

6. Change login name, or username

-l, --login = The name of the user will be changed from LOGIN to NEW_LOGIN. Nothing else is changed. In particular, the user's home directory or mail spool should probably be renamed manually to reflect the new login name.

  • id vk9security
  • usermod -l vk9sec vk9security
  • id vk9security

7. Lock user account

-L, --lock = Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password.

  • cat /etc/shadow | grep vk9
  • usermod -L vk9sec
  • cat /etc/shadow | grep vk9

8. Unlock a user

-U, --unlock = Unlock a user's password. This removes the '!' in front of the encrypted password.

  • cat /etc/shadow | grep vk9
  • usermod -U vk9sec
  • cat /etc/shadow | grep vk9

9. Move home directory to a new location

-m, --move-home = Move the content of the user's home directory to the new location.

  • usermod -d /home/vk9security -m vk9sec

10. Change user shell

-s, --shell = The name of the user's new login shell.

  • cat /etc/passwd | grep vk9
  • usermod -s /bin/bash vk9sec
  • cat /etc/passwd | grep vk9

11. Change user UID

-u, --uid = The new numerical value of the user's ID.

  • id vk9sec
  • usermod -u 1111 vk9sec
  • id vk9sec

12. Change user GID

-g, --gid = The group name or number of the user's new initial login group.

  • id vk9sec
  • usermod -g 129 vk9sec
  • id vk9sec

Group Management

groupadd

The /etc/group file holds all of the group information, as well as the users belonging to each group. The structure is very similar to that of /etc/password.

/etc/password structure in Linux

1. Create a new group

  • groupadd test_g
  • cat /etc/group | grep test

2. Specify the GID

-g, --gid = The numerical value of the group's ID. This value must be unique, unless the -o option is used.

  • groupadd -g 1050 test_g
  • cat /etc/group | grep test

3. Create a system group

-r, --system = Create a system group.

  • groupadd -r sys_test
  • cat /etc/group | grep sys_test

groupdel

delete a group

1. Delete an existing group

  • cat /etc/group | grep sys_tes
  • groupdel sys_test
  • cat /etc/group | grep sys_tes

groupmod

modify a group definition on the system

1. Change group name

-n, --new-name = The name of the group will be changed from GROUP to NEW_GROUP name.

  • groupmod -n test test_g
  • cat /etc/group | grep test

2. Change GID

-g, --gid = The group ID of the given GROUP will be changed to GID.

  • cat /etc/group | grep test
  • groupmod -g 1100 test
  • cat /etc/group | grep test