Master Linux User and Group Management: Commands, Files, and Best Practices

User Types

Superuser (UID 0) – highest privileges.

Regular user (UID 1000‑60000) – limited privileges.

Program/System user (UID 1‑999) – used by services, not for interactive login.

Each user must belong to a primary group and may belong to one or more supplementary groups.

User Account Files

The main user database is /etc/passwd, which stores username, UID, GID, comment, home directory, and login shell. Example entry format: root:x:0:0:root:/root:/bin/bash Use cat /etc/passwd or ls /etc/passwd to view the file.

Password hashes and aging information are stored in /etc/shadow. Example line:

root:$6$1ErSmgzZVaTclNcr$TMSjtWrgcZXeE1lo2.SQyrRK4M.GKe/rZsnhTOr4zS5QtwPFvKibxys9aiA4cmjj6COZ2SwNrTTQqrva6hZzT/::0:99999:7:::

Fields: encrypted password, last change (days since epoch), minimum days, maximum days, warning period, inactivity, expiration.

Adding Users (useradd)

Use useradd with options to create a new account and set its attributes.

useradd -u 1234 -s /sbin/nologin -M aa   # UID 1234, no login shell, no home directory

-u UID – specify a unique user ID.

-d DIR – set the home directory (ignored with -M).

-e DATE – account expiration date (YYYY‑MM‑DD).

-g GROUP – primary group name or GID.

-G GROUPS – supplementary groups.

-M – do not create a home directory.

-s SHELL – login shell.

Examples:

# useradd -u 1234 a
# cat /etc/passwd | grep a

a:x:1234:1234::/home/a:/bin/bash

# useradd -d /etc/data aa
# cat /etc/passwd | grep aa

aa:x:1001:1001::/etc/data:/bin/bash

# useradd -g asdjkl kk
# cat /etc/passwd | grep kk

kk:x:1236:1000::/home/kk:/bin/bash
# id kk
uid=1236(kk) gid=1000(asdjkl) groups=1000(asdjkl)

# useradd -s /sbin/nologin lll
# cat /etc/passwd | grep lll

lll:x:1237:1237::/home/lll:/sbin/nologin

Modifying Users (usermod)

Use usermod to change existing account properties.

-l NEWNAME – change login name.

-L – lock the account.

-U – unlock the account.

-u NEWUID – change UID.

-d NEWDIR – change home directory.

-e DATE – set expiration date.

-g GROUP – change primary group.

-G GROUPS – change supplementary groups.

-s SHELL – change login shell.

Deleting Users (userdel)

Remove an account with userdel. Use -r to also delete the user's home directory and mail spool.

# userdel qq          # removes the account only
# id qq
id: qq: no such user
# userdel -r qq      # removes account and its home directory
# id qq
id: qq: no such user

Password Management (passwd)

Set or change a password with passwd USERNAME. Common options:

-d – delete the password (login without password).

-l – lock the account.

-u – unlock the account.

-S – display account status.

Example of changing a password:

# passwd asdjkl
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Locking and unlocking:

# passwd -l qq
passwd: password expiry information changed.
# passwd -S qq
qq LK 2024-04-08 0 99999 7 -1 (locked)
# passwd -u qq
passwd: password expiry information changed.
# passwd -S qq
qq PS 2024-04-08 0 99999 7 -1 (password set, SHA512).