Master Linux User & Group Management: Commands, Files, and Best Practices

What Are Users and Groups?

User and Group Concepts

Example

Facial recognition at train stations

Fingerprint for clock‑in/out

Secret code for a secret society

Users exist to allocate resources.

Example

Borrow a shared bike home

General manager exercising authority

Authentication: authentication Authorization: authorization Accounting: auditing

User Classification

Linux users are divided into administrators and regular users:

User Type

UID

Administrator

0

Regular user

1‑65535

Regular users are further split into system users and login users:

User Type

UID

System user

1‑999 (used by daemon processes)

Login user

1000‑60000 (interactive logins)

Linux Security Context

Running processes inherit the identity of the process initiator. Permissions of a process depend on the initiator's identity.

Linux assigns permissions through security contexts: first check file ownership, then group membership, finally treat as “other”.

Linux User Group Types

Group Type

Characteristics

Private group

When a user is created without a specified group, the system creates a group with the same name as the user.

Primary group

The default group of a user.

Supplementary (extra) group

Any additional groups beyond the primary one.

Linux User and Group Configuration Files

File Descriptions

File

Purpose

/etc/passwd

User account information (name, UID, primary GID, etc.)

/etc/group

Group definitions and attributes

/etc/shadow

Encrypted passwords and password‑related attributes

/etc/gshadow

Group passwords and attributes used for group switching

File

Field

Description

/etc/passwd

1

Username

/etc/passwd

2

Password placeholder

/etc/passwd

3

UID

/etc/passwd

4

GID

/etc/passwd

5

User description

/etc/passwd

6

Home directory

/etc/passwd

7

Login shell

File

Field

Description

/etc/shadow

1

Login name

/etc/shadow

2

Encrypted password

/etc/shadow

3

Last password change (days since epoch)

/etc/shadow

4

Minimum password age

/etc/shadow

5

Maximum password age

/etc/shadow

6

Password warning period

/etc/shadow

7

Password inactivity period

/etc/shadow

8

Account expiration date

/etc/shadow

9

Reserved

Password Complexity

Password policy: use at least three of digits, uppercase, lowercase, and special characters; be sufficiently long; be random; avoid reuse; change regularly.

User and Group Management Commands

User Management

User Creation (useradd)

-u UID Specify user ID useradd creates a user account and its home directory; the command must be run as root. -g sets the primary group, -G sets supplementary groups.

# id root
uid=0(root) gid=0(root) groups=0(root)
# useradd xbz
# id xbz
uid=1000(xbz) gid=1000(xbz) groups=1000(xbz)
# useradd -u 2000 xbz1
# id xbz1
uid=2000(xbz1) gid=2000(xbz1) groups=2000(xbz1)

-g GID Set primary group ID

# useradd -g 2000 xbz1
# id xbz1
uid=1001(xbz1) gid=2000(xbz1) groups=2000(xbz1)

-G groupname Add supplementary groups

# useradd -G xbz1 xbz2
# id xbz2
uid=1002(xbz2) gid=1002(xbz2) groups=1002(xbz2),2000(xbz1)

-c "COMMENT" Add a comment (GECOS field)

# useradd -c xbz1 xbz3
# id xbz3
uid=1003(xbz3) gid=1003(xbz3) groups=1003(xbz3)
# tail -5 /etc/passwd
xbz:x:1000:1000::/home/xbz:/bin/bash
xbz1:x:1001:2000::/home/xbz1:/bin/bash
xbz2:x:1002:1002::/home/xbz2:/bin/bash
xbz3:x:1003:1003:xbz1:/home/xbz3:/bin/bash
hh:x:1004:1004:xx:/home/hh:/bin/bash

-d DIR Specify home directory (must not already exist)

# useradd -d /home/xbz5 xbz5
# cd ~xbz5
# pwd
/home/xbz5

-r -M -s SHELL Create a system user, do not create a home directory, and set a non‑login shell

# useradd -rMs /sbin/nologin tsb
# ll /home/

User Deletion (userdel)

# userdel aaa
# ls /home/
aaa  bbb
# userdel -r bbb
# ls /home/
aaa

View Account Information (id)

# id xbz
uid=1000(xbz) gid=1000(xbz) groups=1000(xbz)
# id -u xbz
1000
# id -g xbz
1000
# id -G xbz
1000

Modify Account (usermod)

-u UID Change user ID

-g GID Change primary group ID (group must exist)

-G GROUPS Replace supplementary groups (use -a to append)

-aG GROUPS Append supplementary groups

-L Lock account (adds ‘!’ in /etc/shadow); -U Unlock account

-s SHELL Change login shell

# usermod -u 111 tsb
# usermod -g 993 tsb
# usermod -G xxxb tsb
# usermod -aG xxxb tsb
# usermod -L xxxb
# usermod -U xxxb
# usermod -s /sbin/nologin xxxb

Switch User (su)

Method

Feature

su USERNAME

Non‑login switch (does not read target’s init files)

su - USERNAME

Login switch (reads target’s init files)

su -

Switch to root when no user is specified

# su tushanbu
# su - tushanbu
# su - tushanbu -c "mkdir xxx"

Shell Configuration Files

File Type

Path

Global

/etc/profile, /etc/profile.d/*.sh, /etc/bashrc

User

~/.bash_profile, ~/.bashrc

Login shells read /etc/profile → /etc/profile.d/*.sh → ~/.bash_profile → ~/.bashrc → /etc/bashrc. Non‑login shells read ~/.bashrc → /etc/bashrc → /etc/profile.d/*.sh.

Password Management (passwd)

passwd changes a user’s password; options include -l (lock), -u (unlock), -d (delete), -n (minimum days), -x (maximum days), -w (warning days), -i (inactive days), and --stdin to read from standard input.

# passwd tushanbu
# echo 1 | passwd --stdin tushanbu
# passwd -l tushanbu
# passwd -u tushanbu
# passwd -d tushanbu
# passwd -n 20 tushanbu
# passwd -x 200 tushanbu
# passwd -w 10 tushanbu
# passwd -i 10 tushanbu

Password Generation (openssl)

openssl provides various utilities: dgst for digests, passwd for password hashes, and rand for random data.

# openssl dgst -md5 /etc/fstab
# openssl passwd -1 -salt hellotom
# openssl rand -base64 20

Group Management

Create Group (groupadd)

-g GID Specify GID; -r Create a system group.

# groupadd bnx
# groupadd -g 1222 xnx
# groupadd -r xbn

Delete Group (groupdel)

# groupdel bnx
# groupdel xbn
# groupdel xnx