Linux, a multi-user operating system, is built on the principle of separating resources and access through users and groups. Whether you’re a system administrator, developer, or hobbyist, understanding how to manage users and groups is foundational to securing your system, controlling access to files, and maintaining order in multi-user environments. This guide will walk you through the core concepts of Linux user and group management, essential commands, common workflows, and best practices to ensure you can confidently administer users and groups on any Linux system.
Table of Contents
- Understanding Linux Users and Groups
- User Management
- Group Management
- File Permissions and Ownership
- Common Practices
- Best Practices
- Conclusion
- References
1. Understanding Linux Users and Groups
What Are Users?
A user is an entity that interacts with the Linux system. Each user has a unique identifier called a UID (User ID). Linux categorizes users into two main types:
- Regular Users: Created for human users (e.g., developers, admins). UIDs typically range from
1000to60000(varies by distribution). - System Users: Created by the OS for running services (e.g.,
www-datafor web servers,mysqlfor databases). UIDs usually range from1to999.
Every process on Linux runs as a user, and file access is determined by the user’s permissions.
What Are Groups?
A group is a collection of users who share common permissions. Groups simplify access control: instead of assigning permissions to individual users, you assign them to a group. Each group has a unique GID (Group ID).
- Primary Group: Every user has exactly one primary group (defined in
/etc/passwd). When a user creates a file, the file’s group ownership defaults to their primary group. - Secondary Groups: Users can belong to multiple secondary groups (defined in
/etc/group), which grant additional permissions.
Key Files: /etc/passwd, /etc/group, and /etc/shadow
Linux stores user and group data in plaintext files (no need for a database!):
/etc/passwd
Stores basic user information (world-readable). Each line represents a user:
john:x:1001:1001:John Doe:/home/john:/bin/bashFields (colon-separated):
john: Usernamex: Password placeholder (actual password stored in/etc/shadow)1001: UID1001: GID (primary group)John Doe: GECOS (user info, e.g., full name)/home/john: Home directory/bin/bash: Default shell
/etc/group
Stores group information (world-readable). Each line represents a group:
developers:x:1002:john,janeFields:
developers: Group namex: Password placeholder (rarely used)1002: GIDjohn,jane: Members (secondary group users)
/etc/shadow
Stores encrypted passwords and password policies (only readable by root). Example line:
john:$6$abc123...:19500:0:99999:7:::Fields include the encrypted password, last password change date, and expiration rules.
2. User Management
Let’s dive into the commands to create, modify, and delete users.
Creating Users: useradd and adduser
Two common tools for creating users:
useradd: Low-level command (works across all Linux distros).adduser: High-level script (more user-friendly, pre-installed on Debian/Ubuntu; usesuseraddunder the hood).
useradd (Basic Usage)
Create a user with a home directory and default shell:
sudo useradd -m -s /bin/bash aliceFlags:
-m(or--create-home): Create a home directory (/home/alice).-s(or--shell): Set default shell (e.g.,/bin/bash,/bin/zsh).
Create a system user (no home directory, no login shell):
sudo useradd -r -s /sbin/nologin apache-r(or--system): Create a system user (UID < 1000).-s /sbin/nologin: Prevent interactive login.
adduser (Debian/Ubuntu)
Interactive and prompts for details (full name, password, etc.):
sudo adduser bobadduser automatically creates the home directory, sets the shell, and prompts for a password—great for beginners!
Setting/Changing Passwords: passwd
Use passwd to set or update a user’s password:
# Set password for "alice" (run as root or with sudo)
sudo passwd alice
# Change your own password (no sudo needed)
passwd Linux enforces password complexity by default (e.g., minimum length, mix of characters).
Modifying Users: usermod
Update user attributes with usermod (use sudo for all operations).
Examples:
-
Change a user’s shell:
sudo usermod -s /bin/zsh alice -
Add a user to a secondary group (use
-aGto avoid removing existing groups!):sudo usermod -aG developers alice # Add alice to "developers" group -
Lock/unlock a user account:
sudo usermod -L alice # Lock (prevents login) sudo usermod -U alice # Unlock -
Change home directory (and move files with
-m):sudo usermod -d /newhome/bob -m bob
Deleting Users: userdel
Remove a user with userdel. Always use -r to delete their home directory and mail spool (otherwise, orphaned files remain!):
sudo userdel -r charlie # Delete user "charlie" and /home/charlie3. Group Management
Creating Groups: groupadd
Create a new group with groupadd:
sudo groupadd designers # Create group "designers" with auto-generated GIDCreate a group with a specific GID:
sudo groupadd -g 1010 devops # GID=1010Modifying Groups: groupmod
Update group attributes with groupmod:
sudo groupmod -n dev-team developers # Rename group "developers" to "dev-team"
sudo groupmod -g 1015 dev-team # Change GID to 1015Deleting Groups: groupdel
Delete a group (only if no user uses it as their primary group):
sudo groupdel designersAdding/Removing Users from Groups
Two common methods:
1. usermod -aG (Add to Secondary Group)
sudo usermod -aG dev-team alice # Add alice to "dev-team"2. gpasswd (Interactive Group Management)
Add a user to a group:
sudo gpasswd -a bob dev-teamRemove a user from a group:
sudo gpasswd -d bob dev-teamMake a user the group administrator (can add/remove members):
sudo gpasswd -A alice dev-teamChecking User/Group Membership
Verify a user’s groups with:
groups alice # List all groups for "alice"
id alice # Show UID, GID, and groups (more detailed)4. File Permissions and Ownership
Users and groups exist to control access to files. Let’s link them to Linux file permissions.
Understanding Permissions
Use ls -l to view file permissions and ownership:
ls -l file.txtOutput:
-rw-r--r-- 1 john dev-team 1024 Jan 1 12:00 file.txtBreakdown:
-rw-r--r--: Permissions (user, group, others)1: Number of hard linksjohn: Owner (user)dev-team: Group owner1024: File size (bytes)Jan 1 12:00: Modification datefile.txt: Filename
Permission Symbols
Permissions are split into three categories:
u: User (owner of the file)g: Group (members of the file’s group)o: Others (all other users)
Each category has three possible permissions:
r(read): View file content (4in numeric form)w(write): Edit/delete file (2in numeric form)x(execute): Run the file (for scripts/programs;1in numeric form)
Changing Permissions: chmod
Use chmod to modify permissions. Two syntaxes: symbolic (human-readable) and numeric (faster for experts).
Symbolic Syntax
Format: chmod [who][operator][permission] file
who:u(user),g(group),o(others),a(all)operator:+(add),-(remove),=(set exactly)permission:r,w,x
Examples:
chmod u+x script.sh # Add execute permission for the owner
chmod g-w file.txt # Remove write permission for the group
chmod o=rx file.txt # Set others to read/execute (no write)
chmod a+r docs/ # Add read permission for all users (recursive with -R)Numeric Syntax
Permissions are represented as a 3-digit number (user, group, others), where each digit is the sum of r=4, w=2, x=1:
| Numeric | Symbolic | Meaning |
|---|---|---|
7 | rwx | Read, write, execute |
6 | rw- | Read, write |
5 | r-x | Read, execute |
4 | r-- | Read only |
0 | --- | No permissions |
Examples:
chmod 755 script.sh # User: rwx, Group: r-x, Others: r-x
chmod 600 secret.txt # User: rw-, Group: ---, Others: --- (private!)
chmod -R 770 project/ # Recursively set rwx for user/group, no access for others Changing Ownership: chown and chgrp
-
chown: Change the file owner (and group, optionally).sudo chown alice file.txt # Owner = alice sudo chown alice:dev-team file.txt # Owner = alice, Group = dev-team sudo chown -R alice:dev-team docs/ # Recursively change owner/group -
chgrp: Change only the group owner.sudo chgrp dev-team report.pdf
5. Common Practices
- Create Users with Home Directories: Always use
useradd -moradduserto ensure users have a home folder (/home/username). - Set Default Shells: Use
/bin/bashor/bin/zshfor interactive users;/sbin/nologinfor system users. - Manage Sudo Access: Add trusted users to the
sudogroup (Debian/Ubuntu) orwheelgroup (RHEL/CentOS) to grant admin privileges:sudo usermod -aG sudo alice # Debian/Ubuntu sudo usermod -aG wheel alice # RHEL/CentOS - Audit Users/Groups: Use
getent passwdto list all users orgetent groupto list all groups (works with LDAP/centralized systems too).
6. Best Practices
- Principle of Least Privilege: Only grant users/groups the minimum permissions needed. Avoid adding users to
sudounless necessary. - Strong Passwords: Enforce password complexity with
pam_cracklib(configured in/etc/pam.d/common-password). - Regular Audits: Check for unused accounts with
lastlog(users who never logged in) orfind /home -type d -mtime +365(inactive home dirs). - Disable Unused Accounts: Lock accounts with
usermod -Linstead of deleting them (in case data is needed later). - Centralize Management: For large environments, use LDAP, Active Directory, or tools like Ansible to manage users/groups at scale.
- Avoid Direct
rootLogin: Usesudofor admin tasks to log actions (via/var/log/auth.log).
7. Conclusion
Linux user and group management is the cornerstone of system security and access control. By mastering commands like useradd, groupmod, and chmod, you can ensure users have the right access to resources—no more, no less. Remember to follow best practices like least privilege and regular audits to keep your system secure.
With this guide, you’re now equipped to manage users and groups like a pro. Experiment with the commands in a safe environment (e.g., a VM) to build confidence!