Master Linux User and Group Management: Commands, Permissions, and Best Practices

User Account Classification

Linux distinguishes three types of accounts:

Super user – highest privileges (root).

Normal user – limited privileges.

Program user – used by programs, cannot log in.

Each user is identified by a UID, similar to an ID card. Typical UID ranges are:

Root: 0

Program users: 1‑499 (CentOS 6) or 1‑999 (CentOS 7)

Normal users: 500‑60000 (CentOS 6) or 1000‑60000 (CentOS 7)

Groups are identified by GID, which works like a group ID card.

Account File Locations

/etc/passwd stores user information. Example line (highlighted in the image): root:x:0:0:root:/root:/bin/bash Fields are username, password placeholder, UID, GID, comment, home directory, and login shell.

/etc/shadow stores encrypted passwords.

Adding Users

Use useradd with syntax useradd [options] username. Important options:

-s <shell> – set login shell (e.g., /bin/bash, /sbin/nologin)

-u <uid> – specify UID

-M – do not create home directory

-d <dir> – set home directory

-e <date> – account expiration date

-g <gid> – primary group

-G <group1,group2> – supplementary groups

-r – create a system (random) user

Example creates user ky33 with UID 2000, no home directory, and shell /sbin/nologin.

Changing Passwords

Use passwd with syntax passwd [options] username. Common options:

-d – delete the password (allow login without a password)

-l – lock the account

-S – show account status

-u – unlock the account

passwd -l ky33        # lock user ky33

passwd -d ky33        # delete password

passwd -S ky33        # show status

passwd -u ky33        # unlock user

Modifying User Attributes

Use usermod with syntax usermod [options] username. Key options:

-l <newname> – change login name

-L – lock account

-u <uid> – change UID

-U – unlock account

-d <dir> – change home directory

-e <date> – set expiration date

-g <gid> – change primary group

-G <group1,group2> – change supplementary groups

-s <shell> – change login shell

usermod -L ky33       # lock user

usermod -U ky33       # unlock user

usermod -l kyy33 ky33 # rename user

Deleting Users

Use userdel with syntax userdel [options] username. Option -r removes the user's home directory as well.

Group Management

Group information is stored similarly to user information.

Adding Groups

Use groupadd -g gid groupname to create a new group with a specific GID.

Managing Group Membership

Use gpasswd:

-a <user> – add user to group

-d <user> – delete user from group

-M <user1,user2> – set the entire member list

Deleting Groups

Use groupdel groupname to remove a group.

Querying Information

Use finger to display detailed user account information.

File and Directory Permissions

Permission Bits

Three basic bits:

r – read (view contents)

w – write (modify contents)

x – execute (run a file or traverse a directory)

File Permissions

Read: tools like cat can display the file.

Write: modify the file.

Execute: the kernel can run the file as a program (must be executable code).

Directory Permissions

Read: ls lists filenames.

Write: create or delete entries inside the directory.

Execute: cd into the directory and use ls -l to view metadata (requires read as well).

Changing Permissions

Use chmod. The -R flag applies changes recursively.

Changing Ownership

Use chown: chown username filename Add -R for recursive changes.

Special Permission Bits

suid – set‑user‑ID on execution (runs with file owner’s privileges).

sgid – set‑group‑ID (runs with file’s group privileges).

sticky – restrict deletion within a directory to the file owner, directory owner, or root.