Americas

  • United States
sandra_henrystocker
Unix Dweeb

Commands and settings for managing user accounts on Linux

How-To
Jan 17, 20235 mins
Linux

To manage user accounts on Linux systems, you'll need to be familiar with some important files and commands.

building better it management skills people workers

If you’re administering a Linux server, chances are you have a lot of user accounts to manage and, along with these, a lot of files and settings to control. Here are some commands and issues that are important in setting up and managing user accounts and access rights.

Dealing with IDs

First, in managing user accounts, you need to be aware of both user IDs (UID) and group IDs (GID). Most accounts are set up with each user being the sole member of a group that has the same name as the user’s account. In fact, both are set up when an account is created using the useradd command. When you list a user’s home directory, you should see something like this:

$ ls -ld /home/dbell
drwxr-xr-x. 8 dbell dbell 4096 Mar 23  2021 /home/dbell
                ^     ^
                |     |
              user  group

Note that the username and groupname are both “dbell”. To see the numerical equivalent of these values, use a command like this one instead:

$ ls -ldn dbell
drwxr-xr-x. 8 1003 1003 4096 Mar 23  2021 dbell
                ^    ^
                |    | 
               UID  GID

The numeric value is 1003 for both the username and groupname. The information displayed is derived from the /etc/passwd and /etc/group files, which connect the names to their numeric values.

$ grep dbell /etc/passwd /etc/group
/etc/passwd:dbell:x:1003:1003:Dana Bell:/home/dbell:/bin/bash
/etc/group:dbell:x:1003:

Working with important files

Some of the most important files that you need to deal with when managing user accounts are the /etc/passwd, /etc/shadow and /etc/group files. As shown above, the /etc/passwd and /etc/group files hold the UIDs and GIDs along with the users’ home directories. Any groups that the user is a member of – including their personal group – are stored in the /etc/group file. The /etc/shadow file contains the password hash and aging parameters that ensure password security and can force users to change their passwords periodically.

These entries are set up when you use the useradd command which adds lines to the /etc/passwd file, the /etc/group file and the /etc/shadow file.

$ sudo useradd newuser
$ sudo grep newuser /etc/passwd /etc/group /etc/shadow
/etc/passwd:newuser:x:1019:1019::/home/newuser:/bin/bash
/etc/group:newuser:x:1019:
/etc/shadow:newuser:!!:19372:0:99999:7:::

Note that sudo is required for creating accounts and for looking at the /etc/shadow file.

The UID for a new account will automatically be assigned the next available number for user accounts. On most Linux systems, the first user account will have the value 1000, and each additional user will be one higher than the previous one. UIDs with smaller values are system accounts. As shown in the bottom line in the above output, there is no password hash when an account is initially set up. That field will show up as !! until a password is assigned. When a password is set up, a long string representing the password hash will take the place of the two exclamation points.

Sysadmins will often set up a temporary password for a new user and then use a command like the second sudo command shown below to expire that password which then requires the user to set a new password on first login. In this way, only the user knows the password to the account.

$ sudo passwd newuser
New password:
Retype new password:
$ sudo passwd -e newuser

The fifth (colon-separated) field in the /etc/passwd file is for the user’s full name and/or description—often referred to as the comment field.

This can be added when an account is created or you can add it later with the usermod -c command. On the other hand, with superuser privilege, you can simply edit the /etc/password file to add the full name.

$ sudo usermod -c “Dana Bell” dbell
$ grep dbell /etc/passwd
dbell:x:1003:1003:Dana Bell:/home/dbell:/bin/bash
                    ^
                    |
           username or description

To include the full name when an account is initially set up, use a command like this:

$ sudo useradd -c “Dana Bell” dbell

Removing user accounts

While the useradd command is used to create accounts and the usermod command lets you make changes to accounts, the userdel command can be used to remove accounts. It’s important to understand, however, that the userdel command does not remove a user’s home directory unless you include the -r option like this:

$ sudo userdel newuser -r

Viewing user settings

While it’s easy to pull information from the /etc/passwd and /etc/group files using grep, another very useful command for extracting information about user accounts is the id command which displays UIDs, GIDs and group memberships is a very convenient format.

$ id newuser
uid=1019(newuser) gid=1019(newuser) groups=1019(newuser)
$ id shs
uid=1000(shs) gid=1000(shs) groups=1000(shs),10(wheel),900(techs)

Adding a user to a secondary group

The usermod command also provides a way to add a user to a secondary group. To do this, use a command like the one shown below which adds the user to the techs group. The id command can then be used to verify the change.

$ sudo usermod -a -G techs newuser
$ id newuser
uid=1019(newuser) gid=1019(newuser) groups=1019(newuser),20(techs)

Wrap-Up

Linux makes setting up, changing and removing accounts quite easy, but you do need to know a handful of important commands to properly manage user accounts and user privileges.

sandra_henrystocker
Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.