Master Linux Account & Permission Management: Users, Groups, and Security

Account and Permission Management

1. Managing User and Group Accounts

User accounts: superuser, regular user, system user

Group accounts: primary group (private), supplementary group (public)

UID: user identifier; GID: group identifier

User Accounts

Superuser (root): UID 0, highest privileges, used only for system administration tasks.

Regular user: created by root or another admin, limited permissions, typically has full access only to its own home directory.

System user: low‑privilege accounts added by packages (e.g., bin, daemon, ftp, mail) that normally cannot log in and are used to run services.

Group Accounts

Primary group: the default group each user belongs to; every user has at least one primary group.

Supplementary group: additional groups a user may belong to.

UID/GID ranges for system and regular groups on CentOS 6/7 are described.

1. /etc/passwd: User Account File

Each line stores username, password placeholder, UID, GID, comment, home directory, and login shell.

Example line: root:x:0:0:root:/root:/bin/bash Field explanations: username, placeholder ‘x’ for password, UID, GID, comment, home directory, login shell. The real encrypted passwords are kept in /etc/shadow, readable only by root.

2. /etc/shadow: Password File

Stores encrypted passwords and account aging information; only root can read.

Fields: username, encrypted password, last password change date (days since 1970‑01‑01), minimum days between changes, maximum days before a change is required, warning period before expiration, inactivity period, account expiration date, reserved.

Use the chage command to modify password aging, e.g., chage -E 2019-04-29 test to set an expiration date.

3. useradd: Add User

Syntax: useradd [options] username Important options: -u UID (must be unused) -d Home directory -e Account expiration date (YYYY‑MM‑DD) -g Primary group (or GID) -G Supplementary groups (or GIDs) -M Do not create a home directory -s Login shell

Examples:

useradd zhangsan
id zhangsan
tail -1 /etc/passwd

Create an auxiliary admin account:

useradd -d /admin -g wheel -G root admin
id admin

4. passwd: Set/Change Password

Syntax: passwd [options] username Examples:

echo "123456" | passwd --stdin username   # batch set password
passwd -d username                       # delete password (empty)
passwd -l username                       # lock account
passwd -u username                       # unlock account
passwd -S username                       # show status

5. usermod: Modify User Attributes

Key options: -l Change login name -L Lock account -U Unlock account -u Change UID -d Change home directory -e Change account expiration date -g Change primary group -G Change supplementary groups -s Change login shell

6. userdel: Delete User

Delete a user and optionally its home directory:

userdel -r username   # remove home directory
userdel -rf username  # force removal

7. Initial User Configuration Files

When a user is created, files from /etc/skel are copied to the new home directory. Common files: .bash_logout – executed on logout (e.g., echo "logout, <code>date " ) .bash_profile – executed on login .bashrc – executed for each interactive bash session

After editing .bashrc, reload with source ~/.bashrc or . ~/.bashrc.

8. Group Account Files

/etc/group stores group names, GIDs, and member lists; /etc/gshadow stores encrypted group passwords (rarely used).

Key commands:

groupadd [-g GID] groupname

gpasswd -a user group

– add user to group gpasswd -d user group – remove user from group groups username – list groups for a user id username – show UID/GID information finger username, w, who, users – query logged‑in users

2. Managing Directory and File Attributes

1. File/Directory Permissions and Ownership

Permissions:

r – read (view file or list directory)

w – write (modify file or create/delete entries in a directory)

x – execute (run program or traverse directory)

Ownership:

Owner – user who owns the file/directory

Group – group that owns the file/directory

Permission string example: drwxr-xr-x (directory) or -rw-r--r-- (regular file). The first character indicates type (d, -, l, etc.). The next three characters are owner permissions, the following three are group permissions, and the last three are permissions for others.

2. chown: Change Ownership

Syntax:

chown [owner][:group] file
chown -R owner:group directory   # recursive

3. umask

umask defines the default permission mask for newly created files and directories. It can be viewed with umask and set temporarily with umask 022. To make it permanent, add the command to .bash_profile or .profile in the user's home directory and reload the profile with source .bash_profile.

Summary

User account management (useradd, passwd, usermod, userdel)

Group account management (groupadd, gpasswd, groupdel)

User and group account files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow)

Querying account information (groups, id, finger, w)

Setting file and directory permissions (chmod)

Setting file and directory ownership (chown)

Configuring default permissions (umask)