Day 3: User Management
Linux manages users through configuration files and command-line tools. Every user is assigned a unique UID (User ID). The kernel associates processes with UIDs, not usernames, so access control depends on numeric IDs.
Key Configuration Files
/etc/passwd - User Account Information
One line per user, seven colon-separated fields:
username:password:UID:GID:comment:home_directory:shellpasswordcontainsx(shadowed password) - actual password is stored in/etc/shadow.- Never store real passwords here.
/etc/shadow - Encrypted Passwords & Aging
Only readable by root. Format:
username:encrypted_password:last_change:min_days:max_days:warn_days:inactive:expire/etc/group - Group Membership
Group name, group password (rarely used), GID, and list of member usernames.
/etc/gshadow - Group Passwords & Administrators
Root-only file storing secure group password hashes and group admin information.
/etc/login.defs
Default settings for password aging, UID/GID ranges, home directory creation, and other system-wide policies.
/etc/default/useradd
Default values for the useradd command - home directory location, skeleton directory, login shell, and inactivity period.
/etc/skel/
Skeleton directory. Any files placed here are automatically copied to a new user’s home directory upon creation.
Commands
Create Users
useradd username # minimal; no home dir, no password by default
useradd -m -s /bin/bash alice # with home dir and bash shell-mcreates a home directory-ssets the login shell
Debian/Ubuntu alternative:
adduser aliceQuery User Information
getent passwd username # works with LDAP/NIS; better than grepping /etc/passwdSet or Change Password
passwd username # root can change any password
passwd # user changes own passwordManage Password Aging
chage -l username # view current settings
chage -d 0 username # force password change on next loginModify Existing Users
usermod -aG groupname username # add user to supplementary group
usermod -d /new/home -m username # change home directory and move contentsDelete Users
userdel username # removes user but keeps home directory
userdel -r username # removes user, home directory, and mail spoolGroup Management
Groups are part of Linux’s discretionary access control (DAC).
Commands
Show User’s Groups
groups usernameCreate / Modify / Delete Groups
groupadd groupname # create a group
groupmod -n newname oldname # rename group
groupdel groupname # fails if group is any user's primary groupDebian/Ubuntu alternative:
addgroup [groupname]Identity & Session Commands
| Command | Purpose |
|---|---|
whoami | Prints effective username (useful after sudo) |
who | Lists logged-in users, login times, terminals |
w | Extended who - shows what each user is running |
id | Shows UID, GID, and group membershipsid -u → UID onlyid -Gn → group names only |
Practical Tips
List all users:
getent passwd | cut -d: -f1Lock / unlock a user account:
passwd -l usernamepasswd -u usernameChange a user’s primary group:
usermod -g groupname usernameAdd user to multiple groups at once:
usermod -aG group1,group2 usernameDelete user and all associated files:
userdel -r username
Resources
- [read] Gentoo Handbook: Finalizing the Installation (User Accounts)
- [read] ArchWiki: Users and Groups
- [read] Debian Documentation: User Manuals
Privilege Escalation: su vs sudo
Understanding the difference is vital for auditability and security.
| Feature | su (Substitute User) | sudo (Superuser Do) |
|---|---|---|
| Password Used | Target’s (Root’s) password | Your own password |
| Audit Trail | Poor (Hard to track who did what) | Excellent (Logged in journalctl) |
| Scope | Switches entire session | Executes a single command |
| Best Practice | Discouraged for admins | Standard for SREs |
The /etc/sudoers Logic
Edit safely using sudo visudo. The syntax follows:
User Host=(User:Group) Commands
Groups—sudo on Debian/Ubuntu, wheel on Red Hat/Arch, and sometimes admin on legacy systems—serve as predefined system containers that automatically grant administrative privileges to any member user through the /etc/sudoers configuration.
Example Entry:
# Allow members of %sudo to run everything
%sudo ALL=(ALL:ALL) ALL
# Restricted access for 'alice'
alice ALL=(root) /bin/systemctl restart nginxResources
- Linux Crash Course - sudo: Linux Crash Course - sudo
- DigitalOcean: Edit Sudoers File: DigitalOcean: Edit Sudoers File
Practical Lab (1.5 Hours)
Step 1: User & Group Setup
sudo groupadd developers
sudo useradd -m -G developers dev-userStep 2: Shared Directory Config
Create /opt/project so only developers can write, but everyone can read.
sudo mkdir -p /opt/project
sudo chown :developers /opt/project
sudo chmod 775 /opt/project
# Add sticky bit to prevent devs from deleting each other's work
sudo chmod +t /opt/projectStep 3: Verification
- Check permissions with
ls -ld /opt/project. - Review sudo logs:
sudo journalctl _COMM=sudo.