Adding and managing users and groups
Beyond the Basics
The command line provides all the necessary tools for creating and maintaining multiple accounts. By understanding these commands, you can more effectively manage your system.
If you have ever done any system administration, chances are you have added an account or a group. However, both tasks offer possibilities beyond the plain command. Not only do numerous options exist to modify the basic command, but a variety of other commands are available for manipulating users and groups and viewing their activities.
Users and groups are means of controlling access to a Linux system. A user account gives normal access to a system, whereas user membership in a group gives access to different hardware, subsystems, and files. Typically, each user account is matched with a group of the same name, so that users can access the files in their home directory. In some distributions, only the ordinary user created during installation has full non-root access, and you might have to add new users to each group to which the first user belongs.
Adding and Deleting
In Debian-based distributions, the easiest way to create a new user is with adduser
, a script that leads you through the process. After you enter the command adduser NAME
, you are prompted for a name, a password, and optional contact information that in effect turns a list of users into a contact list. Other information, such as the user ID (UID), is created for you, starting with 1000
(Figure 1). Non-Debian distributions also include adduser
, but in most cases it is an alias for useradd
.
In all distributions, the basic command for creating users is useradd
. However, unlike adduser
, entering the command and a username is not enough. To start, you need to create a home directory for the account with --create-home
(-m
). If you do not want the home directory to be a subfolder of /home
, you need to specify the base directory with --base-dir DIRECTORY
(-b
). When making a home directory, you probably want to include the option --skel DIRECTORY
(-k
) to add default files to it.
Additionally, you'll probably want to specify the password with --password PASSWORD
(-p
) and groups beside the account's own group with --group GROUPS
(-G
). Other characteristics of the account will be those listed by entering useradd -D
, an option that can also be used for editing the defaults with useradd -D OPTION
. You can also specify the account's shell with --shell SHELL
(-s
) and its UID with --uid UID
(-u
) (Figure 2).
The useradd
command can also set a couple of options for user's passwords, although they seem to be little used on smaller systems. For example, with --expire DATE
(-e
), you can set the date on which an account's password expires. Usually, you will want to accompany --expire
with --inactive DAYS
(-f
), to set the number of days after expiration to disable an account. When the account is disabled, its files are preserved, but the user cannot log in.
Except for the options for password expiration, groups have a similar set of commands. Both the Debian addgroup
command and the more generally used groupadd
have options similar to adduser
. In both, you can specify the group ID (GID) and a password. The main difference from the basic user commands is that in both group commands you can use the --system
option to create a group that helps to run the system, instead of one to which users can be assigned.
To remove users, Debian-based systems have groupdel
, with the convenient option --backup-to DIRECTORY
, which automatically removes all groups the user is in. The exception is the user's private group, which cannot be deleted until the user is removed. The userdel
command has the option to --remove
the home directory or, in case the user has files elsewhere in the system, to --remove-all-files
. By contrast, userdel
has only the options to --force
(-f
) deletion or --remove
to delete the user's home directory.
Usermod and Groupmod
The usermod
and groupmod
commands are for editing users and groups after they are created. Many of the usermod
options mirror those of useradd
, including --shell SHELL
(-s
), --uid UID
(-u
), --expiredate DATE
, and --inactive DAYS
(-f
).
To this set of commands, usermod
adds --login NAME
(-l
), which can only be changed when the user is not logged in, and --password PASSWORD
(-p
).
Other options change the groups to which the account belongs. With --gid GROUP
(-g
), the root user can change the initial group name or GID for an account. Group membership is modified by GROUPS
(-G
), in preference to editing /etc/group
in a text editor, which does not update /etc/gshadow
. The groups are specified in a comma-separated list with no whitespace.
An especially useful option for usermod
is --lock
(-L
), which prevents anyone from using the account to log in. The lock is represented by adding an exclamation mark (!
) at the start of the password. The lock is applied with no warning or confirmation message and can be removed with --unlock
(-U
). As you might expect, neither can used together or with --password
(-p
), although changing the password would be just as effective in preventing the account from being used.
The groupmod
command has far fewer options than usermod
, possibly because it can potentially have farther-reaching effects – in fact, on systems that use sudo
rather the root account, careless use could leave you unable to do any administration. At any rate, groupmod
uses only three options: --gid
to change the GID, -n
to change the group name, and --password
(-p
) to add or change the group password – an option that may be useful on a large system but often not the average home setup.
Other Administration Commands
Several other commands for both users and groups also exist. For example, groups USER
lists the different groups to which the specified user belong. The same information can be obtained from id USER
. At one time, the users
command could be used to see user activity listed in the logs. However, because the logs are binary now that Systemd is used in most major distributions, you need to use journalctl
to read them or obtain some of the same information with a combination of finger
and who
instead.
On systems that use shadow files to help conceal passwords, you can use a set of four commands to set up and edit the system, making sure that key files are in sync.
--pwconv
creates/etc/shadow from /etc/passwd
.--pwunconv
creates/etc/passwd
from/etc/passwd
and/etc/shadow
, then removesshadow
.--grpconv
creates/etc/gshadow
from/etc/group
.--grpunconv
creates/etc/group
frometc/group
andetc/gshadow
, then removesgshadow
.
On larger systems, where user accounts are created and deleted regularly, these commands can help avoid possible problems.
A somewhat safer alternative for syncing files is grpck
. This command edits /etc/group
and /etc/gshadow
, the file that helps hide group information on some systems (Figure 3). To be specific, grpck
checks the validity and uniqueness of each group's name, GID, and members, as well as looking for matching entries in /etc/gshadow
and removing duplications or obsolete or corrupted information.
With the addition of the --read-only
(-r
) option, grpck
lists entries that need correcting without making any changes – an option that should be run first to avoid any problems. The command can also use --sort
(-s
) to arrange information alphabetically, instead of adding newer entries at the bottom of the list.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.