User Management in Linux

Modern operating systems (including Windows, Unix/Linux, and macOS) are multi-user. This means that multiple users can be created and managed separately without interfering with other users or programs. You can also edit users: change their names, groups they belong to, etc. In this article, we will discuss user management in Linux using the Ubuntu distribution.

This user management guide will work for any cloud server or virtual machine with a pre-installed Linux operating system.

In this article, we use Ubuntu version 22.04, but you can use any other distribution, including Debian, CentOS, etc.

All commands are executed from the root account. Regular users cannot create, delete, or modify user and group information without sudo privileges.

Where User Information is Stored

In Linux systems, whether a user was created manually or as a result of installing some software, their information is stored in the /etc/passwd file. To show all users of a Linux system, run:

cat /etc/passwd

The structure of the passwd file is as follows:

username:password:user_id:group_id:additional_info:home_directory_path:shell_path

For example:

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

Explanation of the fields in the passwd file:

• Username — used, for example, for SSH login or when adding to a specific user group. The username length can be 1 to 32 characters.

• Password — in modern Linux distributions, passwords are not stored in plain text. Instead, one of the following symbols is used:

• x — means the password is stored in encrypted form with "salt" (a random set of characters added to the password hash to complicate the password-cracking process). The encrypted password itself is stored in the /etc/shadow file.

• * — means the user does not have permissions to log into the operating system.

• The user account does not have a password if neither of these symbols is present.

• User ID (UID) — each created user in a Linux system is assigned a unique number (identifier) in the form of a positive number.

• The number 0 always belongs to the root user. Numbers from 1 to 9 and from 10 to 499 are reserved and allocated only for pseudo-users (users created with the installation of certain programs, such as PostgreSQL or Nginx). For regular users, numbers usually start from 500 or 1000. The user ID can be changed (except for the root user).

• Group ID (GID) — when a user is created, a group with the same name is also created. Groups allow you to assign permissions to objects in the system (files, directories, etc.) to several users at once. A user must be in at least one group. Like users, groups are assigned unique numerical IDs.

• Additional Information — you can add additional information for users, such as full name, address, phone number.

• Home Directory Path — each user in the Linux system has their own home directory. By default, it is located in the /home directory, but you can choose another one, such as /var or /bin. For example, when installing PostgreSQL, a user named postgres is automatically created, with a home directory at /var/lib/postgresql.

• Shell Path and Login Prohibition — a user may have a command shell for executing commands (usually bash or sh). ALso, you can prohibit a user from logging into the server by using /bin/false or /usr/sbin/nologin.

Creating Users with useradd

To create users in Linux systems, you can use a low-level utility called useradd.

For example, to create a user named hostman:

useradd hostman

If we look at the contents of the /etc/passwd file, at the end of the list we will see information about the created user:

cat /etc/passwd

However, it is important to note that by default, i.e., without using options, useradd does NOT create a password or home directory for the user. Although there is a corresponding value in the /etc/passwd file, the utility merely reserves the home directory for the user.

To set a password for the user, run the passwd command. Let's set a password for our user hostman:

passwd hostman

You will need to enter the password twice. 

Note that setting a password is mandatory. Without it, the new user will not be able to log in.

When using the useradd command, you can set a password during the user creation stage using the -p option, but the password must be pre-encrypted. The openssl utility (present by default in most Linux distributions) can be used for this. Let's create a user named new-user and set the password StrongPassword123$ for them:

useradd -m -p $(openssl passwd -1 StrongPassword123$) new-user

Check the /etc/passwd file:

cat /etc/passwd

You can see that new-user exists and has a password, which is indicated by the symbol x.

It is not a recommended method for password setting because the password is entered in plain text and is available in the command history.

Although useradd only creates users, the utility has options for setting the user's home directory and login shell.

To create a user and set their home directory, use the -m and -d keys, followed by the full path to the intended directory:

useradd -m -d /home/hostman hostman

If you do not specify the directory manually, the user's home directory will be created in the /home directory.

To set the user's shell, use the -s option, followed by the shell:

useradd -s /usr/bin/bash hostman

Creating Users with adduser

In the previous section, we used the useradd utility to create users. However, the useradd manual for Debian-based systems advises using adduser instead of useradd.

The adduser command, like useradd, creates users in the system but works at a higher level and is interactive. Technically, adduser is a Perl script that uses useradd to create users.

When using adduser, you specify the username, and the utility will automatically:

• create a group with the same name for the user,
• create a home directory in the /home directory,
• prompt for a password,
• fill in information such as full name (Full Name), room number (Room Number), work phone (Work Phone), home phone (Home Phone), and any other information you consider necessary (Other). If you do not want to fill in this information, just press Enter until you reach the final question: "Is the information correct?". You need to enter Y (yes) or n (no).

In the screenshot, you can see how we created a user named testuser using the adduser utility:

Using adduser significantly simplifies creating new users, as you do not have to use additional commands and options.

Deleting Users

To delete a user on Linux, use the userdel command. Let's delete a user named test1:

userdel test1

By default, the userdel command does not delete the user's home directory. To delete both the user and their home directory, use the -r key:

userdel -r test1

There is another way to delete a user account on Linux — using the deluser command. The deluser utility is available only in Debian-based distributions. To delete the user testuser using deluser, execute the following command:

deluser testuser

Just like when using the userdel command, the deluser command does not delete the user's home directory and the user's directory in /var/mail where email messages are stored. To delete these directories when deleting the user, use the --remove-home option:

deluser --remove-home testuser

Managing User Passwords

As mentioned earlier, modern Linux distributions do not store passwords in plain text. Instead, the system stores only their hash functions. The hash functions are stored in a separate text file called /etc/shadow:

The structure of the shadow file is as follows:

username:encrypted_password:last_password_change_date:minimum_days_between_password_changes:maximum_days_before_password_change:days_before_password_expiry:days_after_password_expiry_until_account_is_disabled:account_expiry_date

For example:

hostman:$y$j9T$csuJ6HDxYMO4UA0WABfwj1$dZOda.QqT7XS/1Ut3UJIVIG3kJTzMli/Rn0Ku/Vwdv/:19912:0:99999:7:::

Explanation of the fields in the shadow file:

• Username is the username for which the password is stored.

• Password is the encrypted password in hash function form. The hash function used to create the password is indicated by symbols such as $y$, $1$, $2y$, etc.

• Last Password Change Date is the number of days since the last password change, calculated from January 1, 1970.

• Minimum Days Between Password Changes is the minimum number of days between password changes.

• Maximum Days Before Password Change is the maximum number of days before the user must change the password.

• Days Before Password Expiry is the number of days before the password expires, and the system starts notifying the user that the password needs to be changed.

• Days After Password Expiry Until Account is Disabled is the number of days after the password expires until the account is disabled.

• Account Expiry Date is the date the account will be disabled, counted in days from January 1, 1970.

To change a user's password, use the passwd command. The root user can change the password for any user, but a regular user can only change their own password.

For example, to change the password for the user hostman, run the command as the root user:

passwd hostman

Enter the new password for the user twice, and the password will be updated.

To force the user to change their password at the next login, use the passwd command with the -e key:

passwd -e hostman

This command sets the password expiration date to the current date, so the user will be prompted to change their password the next time they log in.

Managing User Groups

Groups in Linux are necessary for organizing users. Each user must be in at least one group. When you create a user, a group with the same name is created by default.

To view all groups in the system, use the getent command:

getent group

It will show the content of the /etc/group file. The structure of the file is as follows:

group_name:password:group_id:group_members

For example:

hostman:x:1001:

Explanation of the fields in the group file:

• Group Name — the name of the group.

• Password — the group password, usually indicated by the symbol x, meaning the password is stored in encrypted form.

• Group ID — the unique identifier of the group.

• Group Members — the list of users who are members of the group.

To create a group, you can use groupadd. Let’s create a group named group1:

groupadd group1

Groups can be renamed using groupmod. This way we rename group1 to newgrp:

groupmod -n newgrp group1

To add a user to a group in Linux, use the usermod command with the -aG option, where -a means "append" and -G specifies the group:

usermod -aG sudo hostman

To add several users at once, you can use:

gpasswd -M user1,user2 newgrp

To check a user’s group, use the groups command and the username, for example:

groups hostman

To remove a user from a group, use the gpasswd command with the -d option:

gpasswd -d hostman sudo

Another option is to use deluser which can also delete users from groups. For example, to remove user1 from nwgrp:

deluser user1 newgrp

Conclusion

Managing users and groups in Linux is a fundamental task for system administrators. This article covered the basic commands and utilities for creating, deleting, and managing users and groups in a Linux system. Understanding these concepts and tools is essential for maintaining a secure and efficient operating environment.