If you’re managing a Linux server, you likely have many user accounts to manage, and in addition, many files and settings to control. Below are some commands and questions that are important when setting up and managing user accounts and access permissions.
Process ID cards
First, when managing user accounts, you need to know the user ID (UID) and group ID (GID). Most accounts are such that each user is the only member of a group with the same name as the user account. In fact, both are set when creating the account using the useradd command. When you list the user’s home directory, you should see something like this:
$ ls -ld /home/dbell
drwxr-xr-x. 8 dbell dbell 4096 Mar 23 2021 /home/dbell
^ ^
| |
user group
Note that both the username and group name are “dbell”. To see the numerical equivalents of these values, use the following command instead:
$ ls -ldn dbell
drwxr-xr-x. 8 1003 1003 4096 Mar 23 2021 dbell
^ ^
| |
UID GID
Both the user name and group name have a numerical value of 1003. The information displayed is derived from the /etc/passwd and /etc/group files, which concatenate names with their numerical values.
$ grep dbell /etc/passwd /etc/group
/etc/passwd:dbell:x:1003:1003:Dana Bell:/home/dbell:/bin/bash
/etc/group:dbell:x:1003:
Process important documents
Some of the most important files to deal with when managing user accounts are the /etc/passwd, /etc/shadow, and /etc/group files. As shown above, the /etc/passwd and /etc/group files hold the UID and GID as well as the user’s home directory. Any groups to which a user belongs, including their personal groups, are stored in the /etc/group file. The /etc/shadow file contains password hashing and aging parameters to keep passwords secure and to force users to change their passwords regularly.
These entries are set when using the useradd command, which adds lines to the /etc/passwd file, /etc/group file, and /etc/shadow file.
$ sudo useradd newuser
$ sudo grep newuser /etc/passwd /etc/group /etc/shadow
/etc/passwd:newuser:x:1019:1019::/home/newuser:/bin/bash
/etc/group:newuser:x:1019:
/etc/shadow:newuser:!!:19372:0:99999:7:::
Note that sudo is required to create the account and view the /etc/shadow file.
The user account will automatically be assigned the next available number of the new account’s UID. On most Linux systems, the first user account has a value of 1000, and each additional user will be one higher than the previous one. The UID with the smaller value is the system account. As shown in the bottom line in the above output, there is no password hash when the account is initially set up. The field will appear as ! ! , until a password is assigned. When setting a password, a long string representing the password hash will replace the two exclamation points.
System administrators often set a temporary password for new users, then expire the password using a second sudo command as shown below, and then require the user to set a new password when they first log in. This way, only the user knows the account’s password.
$ sudo passwd newuser
New password:
Retype new password:
$ sudo passwd -e newuser
The fifth (colon-separated) field in the /etc/passwd file is for the user’s full name and/or description, often called the comment field.
This can be added when creating the account or later using the usermod -c command. On the other hand, with superuser privileges, you can simply edit the /etc/password file to add the full name.
$ sudo usermod -c “Dana Bell” dbell
$ grep dbell /etc/passwd
dbell:x:1003:1003:Dana Bell:/home/dbell:/bin/bash
^
|
username or description
To include the full name when initially setting up the account, use a command like this:
$ sudo useradd -c “Dana Bell” dbell
Delete user account
While the useradd command creates accounts and the usermod command allows you to make changes to accounts, the userdel command can be used to delete accounts. However, it is important to understand that the userdel command does not delete the user’s home directory unless you include the -r option as follows:
$ sudo userdel newuser -r
View user settings
While it is easy to extract information from /etc/passwd and /etc/group files using grep, another very useful command for extracting information about user accounts is the id command, which shows that UID, GID and group membership are one A very convenient format.
$ id newuser
uid=1019(newuser) gid=1019(newuser) groups=1019(newuser)
$ id shs
uid=1000(shs) gid=1000(shs) groups=1000(shs),10(wheel),900(techs)
Add user to secondary group l
The usermod command also provides a way to add users to secondary groups. To do this, add the user to the Technicians group using the command shown below. You can then use the id command to verify the changes.
$ sudo usermod -a -G techs newuser
$ id newuser
uid=1019(newuser) gid=1019(newuser) groups=1019(newuser),20(techs)
Summarize
Linux makes it very easy to set up, change, and delete accounts, but you do need to know some important commands to properly manage user accounts and user permissions.
l