Modern operating systems (including Windows, Unix/Linux, and macOS) are multi-user. This means that multiple users can be created and managed separately without interfering with other users or programs. You can also edit users: change their names, groups they belong to, etc. In this article, we will discuss user management in Linux using the Ubuntu distribution.
This user management guide will work for any cloud server or virtual machine with a pre-installed Linux operating system.
In this article, we use Ubuntu version 22.04, but you can use any other distribution, including Debian, CentOS, etc.
All commands are executed from the root account. Regular users cannot create, delete, or modify user and group information without sudo privileges.
In Linux systems, whether a user was created manually or as a result of installing some software, their information is stored in the /etc/passwd
file. To show all users of a Linux system, run:
cat /etc/passwd
The structure of the passwd file is as follows:
username:password:user_id:group_id:additional_info:home_directory_path:shell_path
For example:
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
Explanation of the fields in the passwd file:
Username — used, for example, for SSH login or when adding to a specific user group. The username length can be 1 to 32 characters.
Password — in modern Linux distributions, passwords are not stored in plain text. Instead, one of the following symbols is used:
x
— means the password is stored in encrypted form with "salt" (a random set of characters added to the password hash to complicate the password-cracking process). The encrypted password itself is stored in the /etc/shadow file.
*
— means the user does not have permissions to log into the operating system.
The user account does not have a password if neither of these symbols is present.
User ID (UID) — each created user in a Linux system is assigned a unique number (identifier) in the form of a positive number.
The number 0 always belongs to the root user. Numbers from 1 to 9 and from 10 to 499 are reserved and allocated only for pseudo-users (users created with the installation of certain programs, such as PostgreSQL or Nginx). For regular users, numbers usually start from 500 or 1000. The user ID can be changed (except for the root user).
Group ID (GID) — when a user is created, a group with the same name is also created. Groups allow you to assign permissions to objects in the system (files, directories, etc.) to several users at once. A user must be in at least one group. Like users, groups are assigned unique numerical IDs.
Additional Information — you can add additional information for users, such as full name, address, phone number.
Home Directory Path — each user in the Linux system has their own home directory. By default, it is located in the /home
directory, but you can choose another one, such as /var
or /bin
. For example, when installing PostgreSQL, a user named postgres
is automatically created, with a home directory at /var/lib/postgresql
.
Shell Path and Login Prohibition — a user may have a command shell for executing commands (usually bash
or sh
). ALso, you can prohibit a user from logging into the server by using /bin/false
or /usr/sbin/nologin
.
To create users in Linux systems, you can use a low-level utility called useradd
.
For example, to create a user named hostman
:
useradd hostman
If we look at the contents of the /etc/passwd
file, at the end of the list we will see information about the created user:
cat /etc/passwd
However, it is important to note that by default, i.e., without using options, useradd
does NOT create a password or home directory for the user. Although there is a corresponding value in the /etc/passwd
file, the utility merely reserves the home directory for the user.
To set a password for the user, run the passwd
command. Let's set a password for our user hostman
:
passwd hostman
You will need to enter the password twice.
Note that setting a password is mandatory. Without it, the new user will not be able to log in.
When using the useradd
command, you can set a password during the user creation stage using the -p
option, but the password must be pre-encrypted. The openssl
utility (present by default in most Linux distributions) can be used for this. Let's create a user named new-user
and set the password StrongPassword123$
for them:
useradd -m -p $(openssl passwd -1 StrongPassword123$) new-user
Check the /etc/passwd file:
cat /etc/passwd
You can see that new-user
exists and has a password, which is indicated by the symbol x
.
It is not a recommended method for password setting because the password is entered in plain text and is available in the command history.
Although useradd
only creates users, the utility has options for setting the user's home directory and login shell.
To create a user and set their home directory, use the -m
and -d
keys, followed by the full path to the intended directory:
useradd -m -d /home/hostman hostman
If you do not specify the directory manually, the user's home directory will be created in the /home
directory.
To set the user's shell, use the -s
option, followed by the shell:
useradd -s /usr/bin/bash hostman
In the previous section, we used the useradd
utility to create users. However, the useradd
manual for Debian-based systems advises using adduser
instead of useradd
.
The adduser
command, like useradd
, creates users in the system but works at a higher level and is interactive. Technically, adduser
is a Perl script that uses useradd
to create users.
When using adduser
, you specify the username, and the utility will automatically:
/home
directory,In the screenshot, you can see how we created a user named testuser
using the adduser
utility:
Using adduser
significantly simplifies creating new users, as you do not have to use additional commands and options.
To delete a user on Linux, use the userdel
command. Let's delete a user named test1
:
userdel test1
By default, the userdel
command does not delete the user's home directory. To delete both the user and their home directory, use the -r
key:
userdel -r test1
There is another way to delete a user account on Linux — using the deluser
command. The deluser
utility is available only in Debian-based distributions. To delete the user testuser
using deluser
, execute the following command:
deluser testuser
Just like when using the userdel
command, the deluser
command does not delete the user's home directory and the user's directory in /var/mail
where email messages are stored. To delete these directories when deleting the user, use the --remove-home
option:
deluser --remove-home testuser
As mentioned earlier, modern Linux distributions do not store passwords in plain text. Instead, the system stores only their hash functions. The hash functions are stored in a separate text file called /etc/shadow
:
The structure of the shadow file is as follows:
username:encrypted_password:last_password_change_date:minimum_days_between_password_changes:maximum_days_before_password_change:days_before_password_expiry:days_after_password_expiry_until_account_is_disabled:account_expiry_date
For example:
hostman:$y$j9T$csuJ6HDxYMO4UA0WABfwj1$dZOda.QqT7XS/1Ut3UJIVIG3kJTzMli/Rn0Ku/Vwdv/:19912:0:99999:7:::
Explanation of the fields in the shadow file:
Username is the username for which the password is stored.
Password is the encrypted password in hash function form. The hash function used to create the password is indicated by symbols such as $y$, $1$, $2y$, etc.
Last Password Change Date is the number of days since the last password change, calculated from January 1, 1970.
Minimum Days Between Password Changes is the minimum number of days between password changes.
Maximum Days Before Password Change is the maximum number of days before the user must change the password.
Days Before Password Expiry is the number of days before the password expires, and the system starts notifying the user that the password needs to be changed.
Days After Password Expiry Until Account is Disabled is the number of days after the password expires until the account is disabled.
Account Expiry Date is the date the account will be disabled, counted in days from January 1, 1970.
To change a user's password, use the passwd
command. The root
user can change the password for any user, but a regular user can only change their own password.
For example, to change the password for the user hostman
, run the command as the root
user:
passwd hostman
Enter the new password for the user twice, and the password will be updated.
To force the user to change their password at the next login, use the passwd command with the -e
key:
passwd -e hostman
This command sets the password expiration date to the current date, so the user will be prompted to change their password the next time they log in.
Groups in Linux are necessary for organizing users. Each user must be in at least one group. When you create a user, a group with the same name is created by default.
To view all groups in the system, use the getent
command:
getent group
It will show the content of the /etc/group
file. The structure of the file is as follows:
group_name:password:group_id:group_members
For example:
hostman:x:1001:
Explanation of the fields in the group file:
Group Name — the name of the group.
Password — the group password, usually indicated by the symbol x, meaning the password is stored in encrypted form.
Group ID — the unique identifier of the group.
Group Members — the list of users who are members of the group.
To create a group, you can use groupadd
. Let’s create a group named group1
:
groupadd group1
Groups can be renamed using groupmod
. This way we rename group1
to newgrp
:
groupmod -n newgrp group1
To add a user to a group in Linux, use the usermod command with the -aG
option, where -a
means "append" and -G
specifies the group:
usermod -aG sudo hostman
To add several users at once, you can use:
gpasswd -M user1,user2 newgrp
To check a user’s group, use the groups
command and the username, for example:
groups hostman
To remove a user from a group, use the gpasswd
command with the -d
option:
gpasswd -d hostman sudo
Another option is to use deluser
which can also delete users from groups. For example, to remove user1
from nwgrp
:
deluser user1 newgrp
Managing users and groups in Linux is a fundamental task for system administrators. This article covered the basic commands and utilities for creating, deleting, and managing users and groups in a Linux system. Understanding these concepts and tools is essential for maintaining a secure and efficient operating environment.