Master Linux User Management: Create, Modify, and Secure Accounts

1. User Overview

What is a user?

A user is an entity that can log into a Linux or Windows system (think of renting a house and being able to move in).

Linux supports multiple simultaneous logins; Windows allows multiple user accounts but only one active login at a time.

Why create users on Linux?

Every process runs under a specific user. Ordinary users are preferred for server management to avoid the high‑risk root account.

Viewing Users

Check current logged‑in user:

# id    # view current user information
uid=0(root) gid=0(root) groups=0(root)

Check another user:

# id oldboy
uid=1000(oldboy) gid=1000(oldboy) groups=1000(oldboy)

List processes with their owning users:

# ps aux | less

User Storage Locations

User information is stored in /etc/passwd (no password hashes) and /etc/shadow (holds encrypted passwords).

UID Conventions

User UID

System Meaning

0

Super‑admin (root) with full privileges

1‑200

System users for built‑in services (pre‑created)

201‑999

System users for installed programs (no login)

1000+

Regular login users with limited rights

2. User‑Related Commands

2.1 Adding Users

Use useradd (the adduser command is a symlink to it).

Usage: useradd [options] LOGIN
       useradd -D               # show defaults
       useradd -D [options]     # modify defaults

Important options:

-d  home directory
-g  primary group ID
-G  supplementary groups (comma‑separated)
-k  copy files from directory (used with -m)
-m  create home directory
-c  comment / description
-N  do not create a group with the same name
-s  login shell
-u  user ID
-D  show or change default configuration
-r  create a system account (no home by default)

Example: create user bgx with UID 5001, primary group students, supplementary group sa:

# groupadd sa
# groupadd students
# useradd -u 5001 -g students -G sa -c "2019 new student" -s /bin/bash bgx

Example: create a system user for MySQL without a home directory and with a non‑login shell:

# useradd mysql -M -s /sbin/nologin
# useradd -r dba -s /sbin/nologin

2.2 Modifying Users

Use usermod to change user attributes.

-c  change comment
-d  change home directory (use -m to move contents)
-g  change primary group
-G  change supplementary groups (replace by default)
-a  add supplementary groups
-l  change login name
-L  lock account
-U  unlock account
-s  change login shell
-u  change UID
-e  set account expiration date

Example: modify bgx UID, primary group, add supplementary group, and change comment, home, shell, and login name:

# groupadd -g 5008 network_sa
# groupadd -g 5009 devops
# usermod -u 6001 -g 5008 -a -G 5009 bgx
# usermod -c "2019 new student" -md /bgx -s /bin/sh -l change_bgx bgx

Lock and unlock a user:

# echo "123" | passwd --stdin change_bgx
# usermod -L change_bgx   # lock
# usermod -U change_bgx   # unlock

2.3 Deleting Users

Use userdel. By default it does not remove the home directory; -r removes it, -f forces deletion.

# userdel user1               # keep home and mail spool
# userdel -r user1            # remove home as well

2.4 Other Useful Commands

finger – query user info (install with yum install finger)

chfn – change GECOS field (full name, phone, etc.)

chsh – change login shell

who, whoami, w – view logged‑in users

3. Password Management

Set or change passwords with passwd. Regular users can only change their own passwords; administrators can change any.

passwd [options] <accountName>
-d   delete password (account becomes unusable)
-l   lock account
-u   unlock account
-e   force password change on next login
-f   force operation
-x   max password age
-n   min password age
-w   warning days before expiry
-i   inactivity period before account is disabled
--stdin   read password from stdin

Example of bulk password creation:

for i in {1..100}; do
  useradd test$i
  echo "123456" | passwd --stdin test$i
 done

4. Privilege Escalation

4.1 Using su

su

switches user identity. su - starts a login shell (loads target user's environment); su without - starts a non‑login shell.

# su               # ordinary user becomes root (needs root password)
# su -             # login shell, loads root's environment
# su - lqz -c 'ifconfig'   # run a command as another user

4.2 Using sudo

sudo

allows specific commands to be run with elevated rights without sharing the root password.

# usermod bgx -G wheel          # add user to wheel group (common sudo group)
# visudo                       # edit /etc/sudoers
# bgx ALL=(ALL) /usr/bin/yum, /usr/sbin/useradd   # allow these commands
# oldboy ALL=(ALL) NOPASSWD:/bin/cp, /bin/rm      # no password needed for cp and rm
# sudo -l                       # list allowed commands for current user

Define command aliases and group aliases in sudoers to grant fine‑grained permissions, e.g.:

User_Alias OPS = oldboy, alex
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
OPS ALL=(ALL) NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES

5. Group Management

5.1 What is a Group?

A logical collection of users. Operations on a group affect all its members.

5.2 Types of Groups

Primary group – each user has exactly one; created automatically with -g or defaults to a private group named after the user.

Supplementary groups – users can belong to multiple for additional permissions.

5.3 Group Files

Group definitions are stored in /etc/group and /etc/gshadow.

5.4 Managing Groups

Create a group:

# groupadd devops               # basic group, auto‑assign GID
# groupadd -g 5555 special      # specify GID
# groupadd -r sysgroup          # system group (GID 201‑999)

Modify a group:

# groupmod -g 1111 no_gid       # change GID
# groupmod yes_gid -n active_group   # rename group

Delete a group (cannot delete a primary group of an existing user): # groupdel active_group Set a group password (optional): # gpasswd devops Switch primary group for the current session:

# newgrp devops

6. Additional References

For deeper details see the original article: Linux User and Group Management .