Master Linux User Management: Create, Modify, Secure Users and Groups

User Overview

A user is an identity that can log into a Linux or Windows system. Linux allows multiple simultaneous logins, while Windows permits only one active session per user.

Why Create Users?

Every process runs under a specific user ID.

Using non‑root users on servers reduces the risk of accidental system damage.

Viewing Users

Display the current user's UID, GID and groups with id or inspect another user with id USERNAME: uid=0(root) gid=0(root) groups=0(root) List all processes and their owners with ps aux | less.

User Data Files

Linux stores user information in /etc/passwd (no password hashes) and /etc/shadow (encrypted passwords). These files should never be edited or deleted casually.

/etc/passwd fields

Username

Password placeholder (usually x)

UID

GID

Comment / GECOS

Home directory

Login shell

/etc/shadow fields

Username

Encrypted password

Last password change (days since 1970‑01‑01)

Minimum password age

Maximum password age

Password warning period

Password inactivity period

Account expiration date

UID Ranges

0 – Superuser (root)

1‑200 – System users for built‑in services

201‑999 – System users for installed programs (no login)

1000+ – Regular login users

User‑Related Commands

Add Users ( useradd )

Common options:

useradd -d /home/bgx -g students -G sa -c "2019 new student" -s /bin/bash bgx

-d

Home directory -g Primary group ID -G Supplementary groups (comma‑separated) -m Create the home directory -c Comment / description -s Login shell -u UID -r Create a system account (no home by default)

Configuration files used as defaults: /etc/default/useradd – defaults for new users /etc/login.defs – password policies and UID/GID ranges

Modify Users ( usermod )

Typical usage:

usermod -u 6001 -g 5008 -a -G 5009 bgx   # change UID, primary GID and add supplementary group

usermod -c "2019 new student" -d /bgx -s /bin/sh -l newname bgx   # change comment, home, shell, login name

usermod -L user   # lock account

usermod -U user   # unlock account

Delete Users ( userdel )

By default the home directory is kept; add -r to remove it.

userdel user1          # keep home directory

userdel -r user1       # remove home directory as well

Password Management

Set or change passwords with passwd. Password policies are defined in /etc/login.defs (e.g., PASS_MAX_DAYS, PASS_MIN_LEN, PASS_WARN_AGE).

Generate a random password:

echo $RANDOM | md5sum | cut -c1-10

mkpasswd -l 10 -d 2 -c 2 -C 2 -s 4

Privilege Escalation

su – switch to another user. su - starts a login shell and loads the target user's environment. Root can switch without a password; other users need the target's password.

sudo – execute a command with elevated rights. Edit /etc/sudoers via visudo. Example entry allowing a user to run specific binaries: bgx ALL=(ALL) /usr/bin/yum, /usr/sbin/useradd Check allowed commands with sudo -l.

Sudo Fine‑Grained Control

Define command aliases and user groups in sudoers to restrict which commands a user may run:

User_Alias OPS = oldboy, alex
Cmnd_Alias NETWORKING = /sbin/ifconfig, /bin/ping
OPS ALL=(ALL) NETWORKING, SOFTWARE

Group Management

What Is a Group?

A logical collection of users. Each user has one primary (basic) group and can belong to multiple supplementary groups.

Group Files

Group definitions are stored in /etc/group (name, password placeholder, GID, members) and /etc/gshadow (encrypted passwords, admins, members).

Group Commands

groupadd [-g GID] groupname

– create a new group (optionally specify GID). groupmod -g NEWGID groupname – change GID. groupmod -n newname groupname – rename group. groupdel groupname – delete a group (cannot delete a primary group of an existing user). gpasswd groupname – set a group password. newgrp groupname – switch the current primary group for the session.

Example Workflow

# Create a group
groupadd devops
# Add a user to the group
useradd alice -G devops
# Verify membership
id alice
# Switch to the new primary group for the session
newgrp devops

Additional Topics

SELinux status with getenforce and temporary disabling via setenforce 0.

SSH key‑based login: generate a key pair with ssh-keygen and copy the public key to the remote host with ssh-copy-id.

Useful user‑information utilities: finger, chfn, chsh, who, whoami, w.