Master Linux User and Group Management: Files, Commands, and Best Practices

Basic Concepts of Users and Groups

In Linux, users and groups are authentication resources. Each user has a username, a unique UID, a primary group, a default shell, and optionally a password, home directory, supplementary groups, and comment fields. Groups have a name and a unique GID. Groups are of two types: primary and secondary; every user belongs to one primary group and may belong to multiple secondary groups.

Linux defines three user categories:

Superuser (UID 0, typically root) – highest privileges; the command prompt is #.

System users (UID 201‑999) – have limited privileges, usually no login shell and no home directory.

Regular users (UID ≥500) – limited privileges, can execute commands in standard bin directories and have full access to their own home directory; the prompt is $.

User and Group Management Files

/etc/passwd stores basic user information. Each line represents a user with seven fields separated by colons: username:x:uid:gid:comment:home_directory:shell /etc/shadow holds encrypted password data and password aging information. It contains nine fields, e.g.:

username:encrypted_password:last_change:min:max:warn:inactive:expire:reserved

Special symbols in the password field indicate locked accounts ( !, *, !!) or empty passwords ( ::). The hash format $id$salt$hashed specifies the hashing algorithm (e.g., $6$ for SHA‑512).

/etc/group lists groups, each line having four fields: group_name:x:gid:user_list /etc/gshadow stores group password information.

/etc/skel contains skeleton files that are copied to a new user's home directory (e.g., .bashrc, .bash_profile, .bash_logout).

/etc/login.defs defines default account policies (password aging, UID/GID ranges, etc.). Settings in /etc/shadow override those in this file.

/etc/default/useradd provides default values for useradd (default group, home directory base, shell, skeleton directory, etc.).

User Management Commands

useradd / adduser – create a new user. Common options: -b base directory for home (default /home) -d explicit home directory -m create home directory if missing -M do not create home directory -g primary group -G supplementary groups (comma‑separated) -N do not create a group with the same name as the user -U create a group with the same name as the user -r create a system user -s login shell -u UID (use -o to allow duplicate UID) -c comment field -k skeleton directory -K modify /etc/login.defs values -D change default options in /etc/default/useradd Example:

useradd -D -e "2016-08-20"
useradd -D
# shows current defaults

newusers – batch creation/modification of users from a file with lines formatted as: pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell Options include -c to select encryption method (DES, MD5, SHA256, SHA512) and -r to create system users.

groupadd – create a new group. Key options: -g specify GID (use -o for non‑unique GID) -r create a system group -f force creation if the group already exists -K modify /etc/login.defs group settings

passwd – change a user's password, lock or unlock accounts, or delete passwords. Common flags: -l lock account (adds ! or !! to the password field) -u unlock account -d delete password (empty field) -e force password expiration -n minimum days between changes -x maximum days before expiration -w warning days before expiration -i inactive days after expiration before disabling the account

chpasswd – batch update passwords from stdin or a file. Use -c to choose the hashing algorithm and -e if the input passwords are already encrypted.

chage – view or modify password aging information. Useful flags: -l list password info -E set account expiration date (0 locks the account immediately)

usermod – modify existing user attributes (UID, GID, home directory, shell, comment, lock/unlock, expiration). Important options: -l change login name -u change UID (use -o for duplicate UID) -g change primary GID -G set supplementary groups -d new home directory -m move contents to the new home directory -s change login shell -L lock password, -U unlock -e set account expiration date -f set days after password expiration before the account is disabled

vipw / vigr – safely edit /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow with consistency checks.

Other User‑Related Commands

finger

– display user information (may need installation on newer CentOS). id – show UID/GID and group memberships. users – list currently logged‑in usernames. last – show recent login sessions (reads /var/log/wtmp). lastb – show failed login attempts (reads /var/log/btmp). who and w – display who is logged in and what they are doing. lastlog – report the most recent login of each user.

These utilities together provide a complete toolkit for creating, modifying, and auditing Linux user and group accounts.