Skip to content

Linux: Users and Groups

Basics

This post contains the notes I am taking while learning Linux users and groups.

The root user is the most powerful user on the Linux system. It can perform any task on the system. It is a good practice to user a separate user to perform the day to day operations.

Each user should have a separate standard user with limited priviledges that allow them to perform only the tasks they are assigned.

There are also service accounts that are specific to a particular service such as docker, incus, nginx, ... They are not setup for interactive login.

It is a security best practice to login into a Linux system with non-priviledge account instead of the root account. A user should not given more priviledge than they need to perform their job. That is the principle of least priviledge.

If root priviledge is required to perform a task, one can elevate their privildege as needed using the su -root or su - command.

root priviledges can be delegated to other users using sudo. To delegate commands to a user, list the user in the /etc/sudoers using the visudo editor. This file can only be edited with visudo editor and the syntax is verified before any change is saved. While sudoers have elevated priviledge, they cannot do everything a root user can do.

Wheel group have limited root priviledge and is usually used for performing administrative tasks. Members of the wheel group can use sudo or su to perform root user tasks.

Polkit (PolicyKit)

It is a tool in the Linux system that controls the communication between priviledge processes and non-priviledge ones.

pkexec mkdir /lab-1 to create the folder lab-1 in the root directory of the system using the room priviledge. sudo seems easier; right?

You can use the id command to verify the user priviledge. The root user always have id 0.

Create, modify, and delete a new user

useradd demo to create a new user. The account will b saved in /etc/passwd file and configured according to options set in the file /etc/login.defs. The user's home directory is created in the /home/<account name> directory and populated using files from the /etc/skel directory (or sckeleton directory). useradd does not set the password of the user account. The password must set separately. In this stage the account is created but not usable yet.

useradd [options] username is the general syntax for creating a user account. The following are usefull options:

-e: to set the expiration date of the account. After the set date, the account becomes unusable. Example: useradd -e 2026/10/25

-s: to set the default shell for the user. Example: useradd -s /bin/bash.

-D: to view the default configuration for the new user.

-c: add a comment to the user account. Adding a comment to the user account may make administering user accounts easier.

passwd demo is used by the root user to set a new password the newly created user. user demo in this case. The same command is also used to reset the password of all users.

visudo to open the sudoers file and add users to the sudoers group if needed.

demo ALL=(ALL) NOPASSWD:ALL with add demo the sudoers group in order to perform root level tasks.

User account information is stored at /etc/passwd. The proper way to edit the /etc/passwd file is through useradd, usermod, or userdel. Modern systems stores user password hashes and account information in /etc/shadow file. Only the root user have access to the shadow file.

Use pwck command to check the validity of the /etc/passwd file.

The shadow file contains the following information:

  • username
  • Hashed password
  • Number of days since the password was changed
  • Number of days before the password must be changed
  • Number of days until the user is warned to change their passsord. The value of 99999 means the password never needs to be changed
  • Number of days after the password expires that account gets disabled
  • Number of days the account has been disabled
  • Unused field reserved for future use

chage -E <date> <username> is used to change the expiration date of an already existing account. Example: chage -E 2025/11/30 demo to change the demo account expiration date. The date is of the YEAR/MONTH/DAY format.

chage -l <username> to see the account expiration information.

chage -M <days> <username> to change the Maximum number of days the user must change their password. 90 days is a typical value for regular user and 60 for admin users.

chage -W <day> <username> to change the number of the days user is warned to change their password before it expires. 5 is a typical value.

usermod -l <new-username> <current-username> to change the username of an existing user. The usermod command is used to modify user account information.

A quick way to lock user account is to use passwd -l <username>. passwd -u <username> to unlock the account.

userdel <username> is used to delete a user. The user home directory stays on the system after the account deletion. To delete the home directory of the user along the account, we can use the -r flag with the userdel command.

Create, modify, and delete a user group

User groups are used to set requirements for a set of users. User groups are stored in /etc/group. Each group contains 4 fields of information:

  • nameL the group name
  • password: the password required to enter this group
  • id: group id
  • list: the members of the group

groupadd, groupmod, and groupdel is used to properly modify the group file. By default a newly created group has member and no password.

groupadd [options] <group name> is the command to create a new group. Example: groupadd -g 100 instructors creates a group called instructors.

groupmod -n <new-group-name> <current-group-name> to modify the name of an existing group.

To add a user to a group we can use the usermod command. For example usermod -aG instructors demo to add the account demo to the instructors group.

Using the groupdel command will not delete the users in the selected group. It just delete the group itself. The proper way to delete a group is to use the command groupdel [options] <group name>. For example groupdel students will delete the students group.

Search users and groups

whoami is used to know the username of the currently logged in user.

A # indicates a root user and a $ indicates a standard user.

who show the details of users currently logged in. It shows information like the username, name of the system, and date and time since the user is connected. -u flag will show the idle time. . indicates that the user is active until now, old indicates that the user is inactive over 24h.

who am i shows only the information of the user who ran the command.

w command is used to show the details of users currently logged in and their transactions. w [options] [username] is the the command to get details of another user.

last show the history of the user login and logout actions, and the actual time and date. It retrieves the information from the /var/log/wtmp file.

id to display user id (UID) and group id (GID) information. id [options] [username] is the proper syntax.

groups <username> to determine all the groups a user is part of.

To view all the members of a groups, there are 2 commands that is usually installed in some distros: lid (List Id) and libuser-lid.

getent (Get Entries) retries group members of non standard authentication methods

Account profiles

.bashrc file enables customization of the user's own environment. It is unique to each user. It is commonly used for storing aliases, environment variables, default directories, file permissions, and default command prompt. It is located at ~/.bashrc.

.bash_profile files provides the shell configuration for the initial login environment. It is located at ~/.bash_profile in the home directory of each user.

To execute a script when any user logs in to the system place your script in /etc/profile. /etc/profile.d holds configuration scripts that will run for all users. It is recommanded to user /etc/profile.d for setting system wide variables via scripts rather than editing the /etc/profile file.

/etc/bashrc provides a system-wide configuration changes specific to Bash settings. It is different than the ~/.bashrc which is specific to each user.