Yandex
Update cookies preferences

User management in Linux

In modern operating systems, you can create multiple accounts, each of which functions independently and does not affect other users or running programs. Accounts can be modified, for example, names, identifiers and other parameters can be adjusted. Let's look at user management in Linux using the Ubuntu distribution as an example.

Where user information is contained

On Linux systems, whether the user was added manually or created during software installation, the data is in /etc/passwd.

The file has the following structure: user name (login):password:user number:user group number:additional information:home directory path:shell path.

Fields in passwd

User name - this parameter serves for identification in the system and is used at login. The length of the name can vary from 1 to 32 characters.

Password - in Linux it is not stored in plaintext, which makes the system more secure. One of the special characters is used:
  • x - the password is stored in encrypted form together with a “salt” - a random set of characters that is added to the password hash sum during its creation. The encrypted password itself is located in the /etc/shadow file.
  • \ - this character means that the user does not have permission to log in.
If none of these characters are present in the password field, it indicates that there is no password for this user.

User number (UID) - each user is assigned a unique identifier in the form of a positive number.

0 - belongs to the root user with maximum privileges.
Numbers from 1 to 499 are reserved for pseudo-users, which are created together with the installation of programs.

For normal users, numbers starting with 500 or 1000 are used, but unlike root, they can be changed.

User Group Number (GID) - When a user is created in Linux, a group with the same name is automatically created and the user is assigned a GID. Groups unite users for the purpose of assigning access rights to system objects (files or directories). Each user must belong to at least one group. Like UIDs, groups are also assigned unique identifiers.

Additional information - you can specify the full name, address, or phone number of the user account or leave the fields blank.

Full path to home directory - each user has a home directory, which is /home by default. You can select a different directory.

Full path to shell and disable - the user can be assigned a shell in which to execute commands (more commonly bash or shell (sh)). It is also possible to disallow the use of an account to log on to the server.

Root, sudo and administrative rights

In Linux, there are two main methods of user authentication: root and non-root user. It is recommended to avoid using root by default. The root user can perform any action, and even accidental deletion of important data will not be accompanied by a warning. You should log in with a regular account, elevating privileges to root only when really necessary. In most cases, root privileges are not required to perform standard user tasks, but they are necessary for certain administrative operations.

In some distributions, such as Ubuntu, the root account is disabled by default, and it is not possible to log in as root. When Ubuntu is installed, a user is created who is automatically added to the Administrators group and can execute commands with root privileges using the `sudo` command, which temporarily grants the necessary privileges.

Managing users and groups in Linux

There is a set of commands that allows administrators to create, delete, and modify user accounts, as well as assign permissions and restrict access to system resources.

In Linux, a user account does not always correspond to a specific person who works at a computer. It is an object created in the Linux system to grant certain rights necessary to perform tasks. Such accounts can be associated with both people and different services.

How to add a user to Linux via useradd

The process of adding a new user to Linux can be divided into two steps: creating the user and setting a password for the user.

The first step is to use the `useradd` command:
useradd [create options] [login]This command relies on a number of preset settings that are defined in the `/etc/default/useradd` and `/etc/login.defs` files. To view the basic settings, you can use the command:
useradd -D

Basic parameters of useradd

  • GROUP: specifies the GID of the group to which the new user will be added.
  • HOME: specifies the base directory where the user's home directory will be placed.
  • INACTIVE: specifies the number of days until the account is locked out after the password becomes invalid. A value of “-1” disables this option.
  • EXPIRE: specifies the date until which the account will be active. If this option is not specified, the account will be active without restriction.
  • SHELL: specifies the command shell to be used by the user.
  • SKEL: path to the directory that stores the template files that are copied to the new user's home directory when the user is created.
  • CREATE_MAIL_SPOOL: specifies whether to create a mail directory for the new user in `/var/spool/mail`.
If you use `useradd` without additional parameters, a user with default settings will be created:
useradd test-userIf you want to configure a user with specific parameters, you should use the advanced options of the `useradd` command.
  • `-m`: creates a home directory if it does not already exist.
  • `-d /home/tester-user`: specifies the home directory to be assigned to the user.
  • `-c “Ivan Petrov”`: adds a comment to the account, such as first and last name.
  • `-g tester`: specifies the main group to which the user will belong. You can specify either a GID or the name of a group that must already exist on the system. This option can be used in conjunction with the `-N` key, which overrides the automatic creation of a group with the user's name.
  • `-G users, wheel`: specifies a list of additional groups to which the user will be added. Groups are specified comma separated with no spaces.
  • `-s /bin/bash`: specifies the command shell to be used by the user.
  • `-r`: creates a system user to run services. No home directory is created for it by default, and no data is added to `/etc/shadow`.
  • `-u`: specifies a unique UID (user identifier). The UID must be a positive integer and must not be repeated among other users.
  • `-e 2025-02-01`: specifies the date until which the account will be active. The date is specified in the format `YYYYYY-MM-DD`.
  • `-f 3`: Specifies the number of days until the account is locked out after the password expires.
The command might look like this:
useradd -m -u 777 -d /home/users/tester-userer -c "Tester" -e 2025-01-01 -s /bin/bash tester-userThis example creates a user `tester-user` with UID 777, home directory `/home/users/tester-user`, comment “Tester” and access to the `bash` shell. The account will be active until 01/01/2025.

After creating the user account, it is important to set up a strong password. For this purpose the command: passwd tester-user is used.

If you need to change the `tester-user` user data, the command will look something like this:
usermod -l tester-user2 -m -d /home/tester-user2 -c "Terminator" -u 1945 -e 2025-02-02 -f -1 tester-userIn this example, we change the login to `tester-user2`, specify a new home directory `/home/tester-user2` with file migration, update the comment, UID, account expiration date, and cancel the lockout if the password is out of date.

The system will try to automatically apply the new data to all files and directories of the user. After making changes, it is recommended to check and, if necessary, correct file permissions, especially in cases where the changes were not automatically applied.

Creating a user via adduser

Useradd is a low-level utility for adding users to Linux.  Adduser is a more convenient tool that is actually a shell over the useradd, groupadd and usermod commands. Not all Linux distributions have it, but if yours does, it is recommended.

Instead of ivanov, insert the name of the new user:
adduser ivanovAfter executing the command, you need to set a password for the new user and enter additional information. You do not need to enter this information - just press Enter to skip the step. 

This will create a user with the specified name, group, its home folder in /home/user_name directory, where files from /etc/skel directory will be duplicated.

Deleting users

Before deleting, it is important to make sure that no active processes are running under the account and no files are in the process of editing. Failure to do so may result in system crashes.

The `userdel` command is used to delete accounts. Its syntax is similar to other commands:
userdel [what to delete] [who]The command has two main parameters.
  • `-r`: Deletes the user's home directory and mail queue.
  • `-f`: Disables the protection mechanism. When this option is activated, the user will be deleted even if there are active processes and other potential conflicts.
After deleting a user, you should manually make sure that no files or directories belonging to the user are left on the server. This will help avoid possible problems related to the remaining traces of the deleted account.

User groups in Linux

Information about groups is stored in the `/etc/group` file. Groups are used to delegate access rights to files, directories or scripts to several users at the same time. For example, working with an FTP server. If you have chosen a directory to work with files, you can create a group and give it rights to this folder. Later, when you add new users to the group, you automatically grant them access to the FTP directory without having to configure permissions for each user individually.

Creation of groups

To create a new group, use the `groupadd` command with parameters.
  • `-f`: If the group already exists, the command will terminate without error.
  • `-g`: Assigns a unique GID for the new group.
  • `-r`: Creates a system group.
  • `-p`: Sets the password for the group, which is required when logging into the group using the `newgrp` command. However, this parameter is not recommended for security reasons, as the password is viewed in the command history.

Changing groups

The `groupmod` command is used to make changes to groups. The options are specified using parameters.

`-g`: Changes the GID of the group.
`-n`: Renames the group, giving it a new name.

If you want to change the group name from `group1` to `new-group`, the command would look like this
groupmod -n new-group group1

Deleting groups

A group cannot be deleted if it is the primary group for an existing user. In this case, you must first delete all users from this group. The deletion process itself is performed using the command:
groupdel group1After the deletion, it is important to check that no files and data belonging to this group remain on the server. This is necessary to prevent possible conflicts in the system.

Managing users in a group

This is done with the `gpasswd` utility. It provides several useful parameters, but only one parameter can be used per command.
gpasswd [what to do] [in which group]
  • `-a`: In Linux, adds a user to a group.
  • `-d`: Removes a user from a group.
  • `-A user1, user2`: This parameter is only available to users with administrator privileges (`root`). Assigns a list of administrators to the group.
  • `-M user1, user2`: Also available only to administrators. Assigns a list of group members.
  • `-r`: Disables the password for the group and allows only group members to use the `newgrp` command to connect.
  • `-R`: Disables external access to the group, restricts the use of the `newgrp` command to group members only.

Adding a user to a group

It is enough to execute the following command:
gpasswd -a new-user test-groupor use the command:
usermod -a -G new-group tester-userIf you want to assign `new-group` as the main group for the user `tester-user`, the command will look like this:
usermod -g new-group tester-userAny user can log in and join the new group by himself using the newgrp command.

Conclusion

We have considered the main ways of creating, deleting and modifying users and groups, as well as examples of using commands. Their competent use increases the security and stability of servers and ensures efficient administration.
11 Sep 2024, 18:29:31