cosmicqbit.dev

Linux User Management

Linux User Management

A comprehensive guide on how to manage users on Linux.

Shariq Raza Qadri's photo
Shariq Raza Qadri
Β·

7 min read

Table of contents

In different organizations across the world we have a hierarchy of power distribution, a top-down approach for instance. The major advantage of power distribution is that it keeps check on the privileges, a member of the organization is enjoying.

Likewise, in the world of Operating Systems, in this case Linux, we need a system in place to keep a check on the privileges so that no user or process goes on flexing its power or exploiting the system resources, that is where user management comes into play.

Linux is primarily a multiuser operating system, a concept it has inherited from UNIX. Each user is allocated with a user ID that can be given access to executables, files and other Linux utilities.

We have two types of user accounts in Linux.

  1. System users or system accounts : Programs (also called daemons) use these types of accounts to run background processes.
  2. Regular users : A human user who interacts with the Linux via Shell.

User ID

Linux uses a 32-bit identification number called UID to keep track of users. There is also a special type of user with the UID 0, usually called root. This 'superuser' stands at the top of the power hierarchy, thus it is permitted to do do anything on the system with no restrictions. It's generally not advised to operate as a root user for obvious reasons.

The UID management do vary across distributions, however many distros stick to the below convention.

  • UID 0 - root
  • UID 1 to 999 - reserved for system users.
  • UID 65534 - user nobody; as an example it allow daemons to run with minimum privileges.
  • UID 1000 to 65533 and 65536 to 4294967294 - range for regular users.

To get your own UID, run

$ id -u
2345692

User file interface

For actually implementing the user management, Linux uses a simple file-based interface which comprises of following four files.

PurposeFile
User database/etc/passwd
Group database/etc/group
User passwords/etc/shadow
Group passwords/etc/gshadow

You can think of /etc/passwd as a mini user database which keeps track of user names, UIDs, group membership, and metadata, such as home dir & default login shell allocated to regular users. Let's take an example

$cat /etc/passwd
root:x:0:0:root:/root:/bin/bash             (1)
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin     (2)

(1) The root user has UID 0

(2) A sytem account

Let's have a closer look at one of the lines in /etc/passwd to understand the structure of a user entry in detail:

User manage.png

  • πŸ’» The login shell of the user.
  • 🏠 The home directory of user.
  • 🎫 User information such as full name or contact.
  • πŸ‘₯ The user's primary group
  • πŸ‘€ The user ID (UID)
  • πŸ” The user's password, with the x character meaning that the encrypted password is stored in /etc/shadow.
  • πŸ‘‘ The username, which must be 32 characters or less

One thing we notice here is the password is not found in /etc/passwd that is because the directory /etc/shadow can be read by any user on the system. So the passwords are actually stored in a file called /etc/shadow which needs root privileges to be read.

Creating user account

To add a user, we use useradd command as follows:

$sudo useradd qbit

The user qbit is created. You can confirm by running

$tail -n 1 /etc/passwd
qbit:x:1001:1001::/home/qbit:/bin/sh

The default useradd config is stored in /etc/default/useradd. When the user is created the useradd command also reads the contents of file /etc/login.defs - which is known for configuration control definitions for the login package, basically options for the shadow password file, like expiry policy etc.

Note: There is also another command to create users adduser which uses useradd in the backed. It's more polished and comes with many new options. You can check it's usage & options by running man adduser.

Setting up password

To actually login into newly created user account we first need to setup a password, which is achieved by running:

$sudo passwd qbit
New password:
Retype new password:

Now to switch to the newly created user account we simply run su qbit. And to logout we use exit.

Displaying groups of the user

By default every user is associated with a primary group which gets created and allocated to the user when user is created in the first place. 

$groups qbit
qbit : qbit

Creating user with custom config

When we create a new user with useradd command without feeding any options, its home directory is not created. Here is how we can setup the home directory at the time of user creation.

$sudo useraadd -m qbit

The -m option is to ensure the home directory is created along with the user. By default it is created at home/username/, in this case home/qbit.

We can also define custom location for home directory like this

$sudo useradd -m -d /home/new/qbit

We can use all the options defined for usermod (the next command) with useradd command as well, for example:

sudo useradd -m -d /home/qbit -c "Bot dev" -g developers -G team -s /bin/zsh

Modifying user properties

In Linux we use usermod command to change the properties of the user, like password, login directory, comment, default shell etc.

We use options with usermod command to change the respective properties of a user. The options are listed below:

OptionDescription
-cTo modify the user info or comment
-dTo modify the home directory of user
-eTo change the expiry date of user
-gTo change the primary group of user
-lTo change the login username of account
-LTo lock a user
-UTo unlock user
-pTo set an unencrypted password for user
-sTo set a shell for user
-uTo change the user ID (UID)

The command is to be run in this format.

$sudo usermod -option <argument> username

Let's try changing the home directory for tmpuser. 

$sudo usermod -d /home/tmp tmpuser

Create expiration date for user account

$sudo useradd -e 2022-12-31 tmpuser

In the above command:

  • -e YYYY-MM-DD specifies the expiry date for a new user account. The second step is to setup the password for the account using sudo passwd tmpuser

Now to verify the user account expiration details we can use chage command.

$sudo chage -l tmpuser
Last password change                    : Aug 06, 2022
Password expires                        : never
Password inactive                        : never
Account expires                         : Dec 31, 2022
Minimum number of days between password change    : 0
Maximum number of days between password change     : 99999
Number of days of warning before password expires    : 7

Deleting users & associated files

In Linux we user userdel command to delete users and the related files. Here is the format of the command.

$sudo userdel -option username
OptionDescription
-ruser’s home directory will be removed along with the files in it.
-fuser gets deleted irrespective of the login status.

Let's see an example 

$sudo userdel -r qbit

Creating admin users

Suppose we want to provide some user with sudo privileges on the system. First we need to make sure that user have a home directory defined. Now here is the demonstration to equip a user with admin / sudo privileges.

$sudo usermod -aG sudo qbit

The second sudo used in the command is actually a group, so in essence we are adding the qbit user to a sudo group, thus it is able to gain admin privileges.

Conclusion

So that brings us to the end of this blog post. I hope you got the clear picture of how to create, modify and delete users on Linux, set passwords & expiry date for accounts and provide a user with admin privileges. Don't feel as though you have to, but if you feel like it, give an upvote and share with friends. Thank you ❀️

Linuxlinux-commandsBeginner Developersterminal
Β