Chapter 11: Managing User Accounts
User accounts maintain the boundary between the people using the system and the processes running within it. Groups are a method for assigning system permissions to multiple users at once.
11.1 Creating User Accounts
Everyone using a Linux system should have a separate user account. Having an account provides a dedicated area for storing files and allows for personalizing the user interface (GUI, paths, environment variables, etc.) to suit individual habits.
You can use the Cockpit GUI to create accounts. If it’s not installed:
| |
Then open localhost:9090 in your browser to manage it.
11.1.1 Adding Users with the useradd Command
In most cases, using a GUI is a hassle. You can use the useradd command instead (requires root). The only mandatory parameter is the login name. Useful options include:
| Option | Description |
|---|---|
| -c “comment” | Provides a description of the new account. Usually the user’s full name. |
| -d home_dir | Sets the home directory. Defaults to /home/loginname. |
| -D | Doesn’t create an account; instead, saves provided info as defaults for future users. |
| -e expire_date | Sets an expiration date in YYYY-MM-DD format. Example: -e 2024-08-01 |
| -f -1 | Days after password expiration before the account is locked. -1 disables this. |
| -g group | Sets the primary group (must exist in /etc/group). Otherwise, a new group with the username is created. |
| -G grouplist | Adds the user to supplementary groups (comma-separated). Example: -G wheel, sales, tech |
| -k skel_dir | Files for the home directory, copied from skel_dir (default is /etc/skel). |
| -m | Automatically creates the home directory. Default on Fedora/RHEL, but not on Ubuntu. |
| -M | Do NOT create the home directory, even if -m is specified. |
| -n | Disables the default behavior of creating a group matching the username/UID. |
| -o | Used with -u uid to create an account with a non-unique UID. |
| -p passwd | Sets the password (must be MD5 hashed). If skipped, use passwd user later. Use openssl passwd for MD5 output. |
| -s shell | Sets the default shell. Example: -s /bin/csh |
| -u user_id | Specifies a UID. If omitted, it’s auto-assigned. Regular users start at 1000. |
Standard usage:
| |
When creating the yexca account, useradd does the following:
- Reads
/etc/login.defsand/etc/default/useraddfor default values. - Checks command-line arguments to see which defaults were overridden.
- Creates new user entries in
/etc/passwdand/etc/shadow. - Creates a new group entry in
/etc/group. - Creates a home directory in
/homebased on the username. - Copies files from
/etc/skelto the new home directory (usually login and app startup scripts).
A typical entry in /etc/passwd:
yexca:x:1001:1001::/home/yexca:/bin/bash
Fields are colon-separated: login name, password, UID, primary GID, comment, home directory, and default shell.
The x in the password field means the actual encrypted password is stored in /etc/shadow.
A typical entry in /etc/group:
yexca:x:1001:
Fields: group name, group password, GID, and a list of users in the group.
11.1.2 Setting User Defaults
useradd determines defaults by reading /etc/login.defs and /etc/default/useradd. You can modify these files to change default behavior.
In different Linux distros, login.defs varies. Here are some common ones:
| |
To see other defaults, check /etc/default/useradd or run useradd -D.
You can use -D with other options to modify /etc/default/useradd:
- -b default_home — Set the base directory for home directories (usually /home).
- -e default_expire_date — Set the default account expiration date (YYYY-MM-DD).
- -f default_inactive — Set days after password expiry before an account is disabled.
- -g default_group — Set the default primary group. Usually, a new group with the same name/ID is created anyway.
- -s default_shell — Default shell.
11.1.3 Modifying Users with usermod
The usermod command is a straightforward way to change account parameters.
| Option | Description |
|---|---|
| -c “username” | Changes the comment/description. |
| -d home_dir | Changes the home directory. |
| -e expire_date | Assigns a new expiration date (YYYY-MM-DD). |
| -f -1 | Changes days after password expiry before permanent lock. -1 disables it. |
| -g group | Changes the primary group (group must exist). |
| -G grouplist | Sets supplementary groups. Use -Ga to append to existing groups. |
| -l login_name | Changes the login name. |
| -L | Locks the account (adds an ‘!’ before the encrypted password in /etc/shadow). |
| -m | Moves content from old home to new home. Only works with -d. |
| -o | Used with -u to allow non-unique UIDs. |
| -s shell | Changes the shell. |
| -u user_id | Changes the UID. |
| -U | Unlocks the account (removes the ‘!’ in /etc/shadow). |
11.1.4 Deleting Users with userdel
The command userdel -r yexca deletes the user from /etc/passwd. The -r flag ensures the home directory /home/yexca is also removed.
Before deleting, it’s a good idea to find any orphaned files using find: find / -user yexca -ls or find / -uid 1001 -ls.
Files not assigned to a user can be a security risk. You should assign them to a real account. Use find / -nouser -ls to find files not associated with any existing user.
11.2 Understanding Group Accounts
Groups are useful for sharing a set of files among multiple users.
Use the chgrp grpName fileOrDir command to change the group ownership of a file or directory.
11.2.1 Using Group Accounts
Every user is assigned to a primary group, indicated by the fourth field in the /etc/passwd entry.
A user can belong to multiple supplementary groups or none at all. If user yexca is a member of groups yexca and hi, the entries in /etc/group look like this:
yexca:x:1001:yexca
hi:x:1002:yexca
Only root can change group memberships; regular users can’t change their own groups or add others to their groups.
If you want to create a file as a specific group, use the newgrp command to temporarily switch your effective group.
Users with root privileges can use gpasswd to set a password for a group.
11.2.2 Creating Group Accounts
Create: groupadd groupName
Assign GID: groupadd -g gid groupName
To modify a group, use the group name or GID:
groupmod -g gid userName
groupmod -n groupName userName
To change supplementary groups, use the usermod command mentioned earlier.
11.3 Managing Users in the Enterprise
ACL (Access Control Lists) technology allows you to assign specific permissions for files or directories to any user or group.
11.3.1 Setting Permissions with ACLs
Two main commands: setfacl to set and getfacl to view directory permissions.
When setting, use -m to modify or -x to remove permissions. For example:
setfacl -m u:userName:rwx filename
11.3.2 Adding Collaboration Directories for Users
When using chmod, there’s a special set of three permission bits often ignored. These set special permissions on commands and directories.
Example: chmod 775 /home/yexca/tmp.txt is actually 0775.
| Name | Value | Letter |
|---|---|---|
| Set UID (SUID) | 4 | u+s |
| Set GID (SGID) | 2 | g+s |
| Sticky Bit | 1 | o+t |
- Creating a Group Collaboration Directory (Setting the GID bit)
| |
Now, if user yexca creates a file in /mnt/co-tmp, the file’s group will be cooperation instead of yexca.
- Creating a Restricted Deletion Directory (Sticky Bit)
Command: chmod 1775 /mnt/tmp
In a restricted deletion directory, only the root user or the file owner can delete a file, even if others have write permissions.
The /tmp directory is a classic example of this (permissions are rwxrwxrwt).
Set UID (SUID)
An executable with the SUID bit set (
rwsr-xr-x) means that when others execute it, the process runs with the permissions of the file’s owner.Example: The
sucommand. All users can run it, but the resulting process belongs to root.
11.4 Centralized User Accounts
By default, Linux authenticates users against /etc/passwd and /etc/shadow. However, you can use other methods.
Examples include LDAP (Lightweight Directory Access Protocol), NIS (Network Information Service), Winbind, and more.