Linux User and Group Management

The Linux system is a multi-user, multi-tasking, time-sharing operating system. Any user who wants to use system resources must first apply for an account from the system administrator, and then enter the system with that account.

User accounts help system administrators track users using the system and control their access to system resources; they also help users organize their files and provide security protection for users.

Each user account has a unique username and respective password.

After entering the correct username and password at login, the user can access the system and their home directory.

Managing user accounts involves several tasks:

• Adding, deleting, and modifying user accounts.
• Managing user passwords.
• Managing user groups.

I. Linux System User Account Management

User account management primarily involves adding, modifying, and deleting user accounts.

Adding a user account means creating a new account in the system and then assigning a user ID, group, home directory, and login shell to the new account. The newly added account is locked and cannot be used.

1. Adding a New User Account Using the useradd Command

useradd options username

Parameter explanation:

• Options:

  • -c comment Specifies a descriptive comment.
  • -d directory Specifies the user's home directory. If this directory does not exist, the -m option can be used to create it.
  • -g group Specifies the user's primary group.
  • -G group,group Specifies additional groups the user belongs to.
  • -s Shell file Specifies the user's login shell.
  • -u user ID Specifies the user's ID. If the -o option is used, it can reuse another user's ID.

• Username:

Example 1

# useradd -d /home/sam -m sam

This command creates a user named sam, with the -d and -m options creating a home directory /home/sam (where /home is the default parent directory for user home directories).

Example 2

# useradd -s /bin/sh -g group -G adm,root gem

This command creates a new user named gem, with the login shell /bin/sh, belonging to the group group, and also to the adm and root groups, with group being the primary group.

New groups might be created here: # groupadd group and groupadd adm

Adding a user account involves adding a new entry for the user in the /etc/passwd file and updating other system files like /etc/shadow and /etc/group.

Linux provides an integrated system management tool, userconf, which can be used for unified management of user accounts.

2. Deleting an Account

If a user account is no longer needed, it can be deleted from the system. Deleting a user account involves removing the user's record from system files such as /etc/passwd, and optionally deleting the user's home directory.

To delete an existing user account, use the userdel command:

userdel options username

A common option is -r, which deletes the user's home directory.

For example:

# userdel -r sam

This command deletes the user sam's record from system files (primarily /etc/passwd, /etc/shadow, /etc/group) and the user's home directory.

3. Modifying an Account

Modifying a user account involves changing the user's attributes such as user ID, home directory, group, and login shell.

To modify an existing user's information, use the usermod command:

usermod options username

Common options include -c, -d, -m, -g, -G, -s, -u, and -o, which have the same meaning as in the useradd command and can specify new resource values for the user.

Additionally, some systems may use the option: -l new username

This option specifies a new account name, changing the original username to the new one.

For example:

# usermod -s /bin/ksh -d /home/z -g developer sam

This command changes user sam's login shell to ksh, home directory to /home/z, and primary group to developer.

4. Managing User Passwords

Managing user passwords is an important aspect of user management. When a user account is first created, it has no password and is locked, making it unusable until a password is assigned, even if it is an empty password.

The Shell command to specify and modify a user's password is passwd. A superuser can assign passwords for themselves and other users, while regular users can only use it to change their own passwords. The command format is:

passwd options username

Available options:

• -l Locks the password, i.e., disables the account.
• -u Unlocks the password.
• -d Makes the account passwordless.
• -f Forces the user to change the password on the next login.

If the username is omitted, the command modifies the current user's password.

For example, if the current user is sam, the following command modifies that user's password:

$ passwd
Old password:******

New password:* Re-enter new password:*

If you are a superuser, you can specify a password for any user using the following format:

# passwd sam
New password:*******
Re-enter new password:*******

When a regular user modifies their own password, the passwd command will first ask for the old password, verify it, and then require the user to enter the new password twice. If the two entries match, the password is assigned to the user. Superusers, however, do not need to know the old password when assigning a new one.

For system security, users should choose a complex password, such as one that is 8 characters long, includes uppercase and lowercase letters, numbers, and is different from names, birthdays, etc.

To assign a null password to a user, execute the following command:

# passwd -d sam

This command removes the password for user sam, so the next time user sam tries to log in, the system will no longer allow them to log in.

The passwd command can also be used with the -l (lock) option to lock a user, preventing them from logging in, for example:

# passwd -l sam

II. Management of Linux System User Groups

Each user belongs to a user group, and the system can manage all users within a group collectively. Different Linux systems have varying rules for user groups, such as Linux users belonging to a group with the same name, which is created alongside the user.

User group management involves adding, deleting, and modifying groups. These operations actually update the /etc/group file.

1. To add a new user group, use the groupadd command. Its format is as follows:

groupadd options group

Available options include:

• -g GID Specifies the group identifier (GID) for the new user group.
• -o Usually used with -g, allows the new group's GID to be the same as an existing group's GID.

Example 1:

# groupadd group1

This command adds a new group called group1 to the system, with the group identifier being one more than the current highest GID.

Example 2:

# groupadd -g 101 group2

This command adds a new group called group2 to the system with the specified GID of 101.

2. To delete an existing user group, use the groupdel command, with the following format:

groupdel group

For example:

# groupdel group1

This command removes the group named group1 from the system.

3. To modify the attributes of a user group, use the groupmod command. Its syntax is as follows:

groupmod options group

Common options include:

• -g GID Specifies a new GID for the user group.
• -o Used with -g, allows the new GID to be the same as an existing group's GID.
• -n new_group_name Changes the name of the user group to the new name.

Example 1:

# groupmod -g 102 group2

This command changes the GID of group2 to 102.

Example 2:

# groupmod -g 10000 -n group3 group2

This command changes the GID of group2 to 10000 and renames it to group3.

4. If a user belongs to multiple groups, they can switch between these groups to gain the permissions of other groups.

After logging in, a user can switch to another group using the newgrp command, which takes the target group as its parameter. For example:

$ newgrp root

This command switches the current user to the root group, provided that the root group is either the user's primary or supplementary group. Similar to user account management, user group management can also be done through integrated system management tools.

III. System Files Related to User Accounts

There are various methods to accomplish user management tasks, but all methods essentially involve modifying relevant system files.

Information related to users and user groups is stored in several system files, including /etc/passwd, /etc/shadow, /etc/group, etc.

Below is a brief introduction to the contents of these files.

1. The /etc/passwd file is the most important file in user management.

Each user in the Linux system has a corresponding record in the /etc/passwd file, which contains basic attributes of the user.

This file is readable by all users. Its content resembles the following example:

# cat /etc/passwd

root:x:0:0:Superuser:/:
daemon:x:1:1:System daemons:/etc:
bin:x:2:2:Owner of system commands:/bin:
sys:x:3:3:Owner of system files:/usr/sys:
adm:x:4:4:System accounting:/usr/adm:

uucp:x:5:5:UUCP administrator:/usr/lib/uucp: auth:x:7:21:Authentication administrator:/tcb/files/auth: cron:x:9:16:Cron daemon:/usr/spool/cron: listen:x:37:4:Network daemon:/usr/net/nls: lp:x:71:18:Printer administrator:/usr/spool/lp: sam:x:200:50:Sam san:/home/sam:/bin/sh

From the examples above, we can see that each line in /etc/passwd corresponds to a user, with each line divided into 7 fields by colons (:). The format and specific meanings are as follows:

Username:Password:User ID:Group ID:Comment:Home directory:Login Shell

1) "Username" is a string representing the user account.

Typically, it is no more than 8 characters long and consists of uppercase and/or lowercase letters and/or numbers. The username cannot contain a colon (:), as it is the delimiter here.

For compatibility reasons, it is best not to include period characters (.) in the username, and avoid starting with hyphens (-) or plus signs (+).

2) "Password" In some systems, this field contains the encrypted user password.

Although this field stores only the encrypted string of the user password, not the plain text, it is still a security risk because /etc/passwd is readable by all users. Therefore, many Linux systems (such as SVR4) now use shadow technology, storing the actual encrypted user password in the /etc/shadow file, while placing a special character, such as "x" or "*", in the password field of the /etc/passwd file.

3) "User ID" is an integer used by the system to identify the user.

Usually, it is unique to the username. If several usernames have the same user ID, the system treats them as the same user, but they can have different passwords, home directories, and login shells.

Typically, the range for user IDs is 0 to 65,535. 0 is the identifier for the superuser root, 1 to 99 are reserved for system accounts, and regular user IDs start from 100. On Linux systems, this limit is 500.

4) "Group ID" field records the user's group membership.

It corresponds to an entry in the /etc/group file.

5) "Comment" field records some personal information about the user.

For example, the user's real name, phone number, address, etc. This field has no practical use. The format of this field is not standardized across different Linux systems. In many Linux systems, this field contains arbitrary descriptive text, used as output for the finger command.

6) "Home directory", which is the user's starting working directory.

It is the directory where the user is located after logging into the system. In most systems, users' home directories are organized under a specific directory, and the name of the home directory is the same as the user's login name. Each user has read, write, and execute (search) permissions for their own home directory, while other users' access permissions to this directory are set according to specific circumstances.

7) After logging in, a process is started to relay the user's operations to the kernel. This process is the command interpreter or a specific program that runs after the user logs in, i.e., the Shell.

The Shell is the interface between the user and the Linux system. There are many types of Shells in Linux, each with different characteristics. Common ones include sh (Bourne Shell), csh (C Shell), ksh (Korn Shell), tcsh (TENEX/TOPS-20 type C Shell), bash (Bourne Again Shell), etc.

The system administrator can specify a Shell for the user based on system conditions and user habits. If no Shell is specified, the system uses sh as the default login Shell, i.e., the value of this field is /bin/sh.

The user's login Shell can also be specified as a specific program (which is not a command interpreter).

This feature allows us to restrict users to running only specified applications, and after the application runs, the user automatically logs out of the system. Some Linux systems require that only registered programs can appear in this field.

8) There is a type of user called a pseudo user (pseudo users) in the system.

These users also have an entry in the /etc/passwd file but cannot log in because their login Shell is empty. Their existence is mainly to facilitate system management and meet the file ownership requirements of corresponding system processes.

Common pseudo users are as follows:

Pseudo User Meaning
bin Has executable user command files
sys Has system files
adm Has account files
uucp Used by UUCP
lp Used by lp or lpd subsystem
nobody Used by NFS

Has account files

1. In addition to the above pseudo users, there are many standard pseudo users, such as audit, cron, mail, usenet, etc., which are also required by related processes and files. Due to the fact that the /etc/passwd file is readable by all users, if a user's password is too simple or has a noticeable pattern, a regular computer can easily crack it. Therefore, Linux systems with high security requirements separate the encrypted password and store it in a separate file, which is the /etc/shadow file. Only the superuser has read permissions for this file, ensuring the security of user passwords.

2. Each record in /etc/shadow corresponds one-to-one with /etc/passwd, and it is automatically generated by the pwconv command based on the data in /etc/passwd.

Its file format is similar to /etc/passwd, consisting of several fields separated by colons (:). These fields are:

Login Name:Encrypted Password:Last Password Change:Minimum Password Age:Maximum Password Age:Warning Period:Inactivity Period:Expiration Date:Flags

• "Login Name" is the user account that matches the login name in /etc/passwd.
• "Password" field stores the encrypted user password, which is 13 characters long. If empty, the corresponding user has no password and does not require a password to log in. If it contains characters not in the set { ./0-9A-Za-z }, the corresponding user cannot log in.
• "Last Password Change" indicates the number of days since a certain point in time until the user last changed their password. The starting time may vary depending on the system. For example, in SCO Linux, this starting time is January 1, 1970.
• "Minimum Password Age" refers to the minimum number of days required between password changes.
• "Maximum Password Age" refers to the maximum number of days the password remains valid.
• "Warning Period" field indicates the number of days between when the system starts warning the user and when the password officially expires.
• "Inactivity Period" indicates the maximum number of days the account remains valid without any login activity.
• "Expiration Date" field provides an absolute number of days. If this field is used, it gives the lifespan of the corresponding account. After this period, the account is no longer valid and cannot be used to log in.

Here is an example of /etc/shadow:

# cat /etc/shadow
root:Dnakfw28zf38w:8764:0:168:7:::
daemon:*::0:0::::
bin:*::0:0::::
sys:*::0:0::::
adm:*::0:0::::
uucp:*::0:0::::
nuucp:*::0:0::::
auth:*::0:0::::
cron:*::0:0::::
listen:*::0:0::::
lp:*::0:0::::
sam:EkdiSECLWPdSa:9740:0:0::::

3. All group information is stored in the /etc/group file.

Grouping users is a method used in Linux systems to manage and control access permissions.

Each user belongs to a certain user group; a group can have multiple users, and a user can also belong to different groups.

When a user is a member of multiple groups, /etc/passwd records the user's primary group, which is the default group they belong to when logging in, and other groups are called supplementary groups.

To access files belonging to supplementary groups, the user must first use the newgrp command to become a member of the desired group.

All group information is stored in the /etc/group file. This file's format is similar to /etc/passwd, with several fields separated by colons (:). These fields are:

Group Name:Password:Group ID:Group Member List

• "Group Name" is the name of the user group, composed of letters or numbers. Like the login name in /etc/passwd, the group name should not be duplicated.
• "Password" field stores the encrypted password for the user group. Generally, Linux user groups do not have passwords, so this field is usually empty or an asterisk (*).
• "Group ID" is similar to the user ID and is an integer used internally by the system to identify the group.
• "Group Member List" is a list of all users belonging to this group, with different users separated by commas (,). This group could be the user's primary group or a supplementary group.

An example of the /etc/group file is as follows:

root::0:root
bin::2:root,bin
sys::3:root,uucp
adm::4:root,adm
daemon::5:root,daemon
lp::7:root,lp
users::20:root,sam

IV. Bulk User Addition

Adding and deleting users is a straightforward task for any Linux system administrator. However, it becomes more challenging when you need to add dozens, hundreds, or even thousands of users. It is impractical to use useradd one by one. Linux systems provide tools to create a large number of users quickly. The method is as follows:

(1) First, edit a text user file.

Each column should be written in the format of the /etc/passwd password file, ensuring that each user's username, UID, and home directory are unique. The password field can be left blank or filled with an "x". An example file user.txt content is as follows:

user001::600:100:user:/home/user001:/bin/bash

user002::601:100:user:/home/user002:/bin/bash
user003::602:100:user:/home/user003:/bin/bash
user004::603:100:user:/home/user004:/bin/bash
user005::604:100:user:/home/user005:/bin/bash
user006::605:100:user:/home/user006:/bin/bash

(2) Execute the command /usr/sbin/newusers as root, importing data from the newly created user file user.txt to create users:

# newusers < user.txt

Then you can execute the command vipw or vi /etc/passwd to check if these users' data has appeared in the /etc/passwd file and if their home directories have been created.

(3) Execute the command /usr/sbin/pwunconv.

This will decode the shadow passwords generated in /etc/shadow, write them back to /etc/passwd, and delete the shadow password fields in /etc/shadow. This is to facilitate the next step of password conversion, which is to disable the shadow password function.

# pwunconv

(4) Edit the password mapping file for each user.

The format is:

username:password

Example file passwd.txt content is as follows:

user001:123456
user002:123456
user003:123456
user004:123456
user005:123456
user006:123456

(5) Execute the command /usr/sbin/chpasswd as root.

Create user passwords, chpasswd will write the encoded passwords, processed by /usr/bin/passwd, into the password field of /etc/passwd.

# chpasswd < passwd.txt

(6) Ensure that the passwords are encoded and written into the password field of /etc/passwd.

Execute the command /usr/sbin/pwconv to encode the passwords into shadow passwords and write the results into /etc/shadow.

# pwconv

This completes the creation of a large number of users. Afterwards, you can check the permission settings of these users' home directories under /home to ensure they are correct, and log in to verify the user passwords.