Mastering Linux Users and Groups: Files, Commands, and Best Practices

Linux uses users and groups as fundamental authentication resources, each with identifiers (UID for users, GID for groups) and associated attributes such as login shell, home directory, and comment fields.

Basic Concepts

Every user has a username, unique UID, primary group, optional secondary groups, shell, home directory, and optional comment.

Groups have a name and unique GID; the primary group is mandatory, secondary groups are optional.

Three user categories exist: root (UID 0) – the super‑user with full privileges; system users (UID 201‑999) – privileged accounts without login shells; regular users (UID ≥500) – limited privileges, default prompt "$".

Key Files

/etc/passwd stores user entries in the format username:x:uid:gid:comment:home:shell. Example lines show root, system accounts, and a regular user.

username:x:uid:gid:comment:home:shell

Field 1: username (e.g., root, nobody)

Field 2: placeholder "x" (password moved to /etc/shadow)

Field 3: UID

Field 4: GID

Field 5: comment

Field 6: home directory (root uses /root)

Field 7: default shell (e.g., /bin/bash, /sbin/nologin)

/etc/shadow holds encrypted password data and aging information, readable only by root. Its nine fields include password hash, last change date, minimum/maximum age, warning period, inactivity period, account expiration, and a reserved field. Special symbols ( !!, !, *) indicate locked or unset passwords.

username:encrypted_pw:last_change:min:max:warn:inactive:expire:reserved

Field 2 may contain !! (no password set), ! or * (account locked), or a hash prefixed by $id$ where $6$ denotes SHA‑512.

/etc/group lists groups as group_name:x:gid:user_list. The user list (comma‑separated) defines secondary group membership.

/etc/gshadow stores group password data (rarely used).

/etc/skel provides skeleton files copied to a new user’s home directory (e.g., .bashrc, .bash_profile).

/etc/login.defs configures defaults for user creation (UID/GID ranges, password aging, CREATE_HOME, USERGROUPS_ENAB, etc.).

/etc/default/useradd contains defaults modified via useradd -D (GROUP, HOME, INACTIVE, EXPIRE, SHELL, SKEL, CREATE_MAIL_SPOOL).

User Management Commands

useradd / adduser

useradd [options] login_name

-b

base directory for home (default /home) -d explicit home directory -m create home if missing -M do not create home -g primary group -G secondary groups (comma‑separated) -N do not create a group with the same name -U create a group with the same name -o allow duplicate UID (requires -u) -r create system user (no home unless -m) -s login shell -u UID -c comment -k skeleton directory -K KEY=VALUE override /etc/login.defs entries -D modify defaults in

/etc/default/useradd

newusers

Batch creation/modification from a file where each line follows pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell. Options include -c to set hash algorithm (DES, MD5, SHA256, SHA512) and -r for system users. Errors during file write are not rolled back, so consistency checks with grpck and pwck are recommended.

groupadd

groupadd [options] group

-f

force creation even if group exists -g GID (use -o to allow duplicate) -K KEY=VALUE modify /etc/login.defs group settings -r create system group

passwd

Change a user’s password; supports locking ( -l), unlocking ( -u), setting expiration ( -e), and aging options ( -n, -x, -w, -i). Uses PAM modules such as pam_cracklib.so and pam_unix.so.

chpasswd

Batch password updates from stdin or a file, format user:passwd. Options -c to choose hash algorithm and -e for pre‑hashed passwords. Reads /etc/login.defs for policy.

chage

View or modify password aging for a user. -l lists info; -E sets account expiration (0 = immediate lock).

userdel / groupdel

Remove users or groups. userdel -r recursively deletes the home directory; -f forces deletion even if the user is logged in.

usermod

usermod [options] login

-l

change username -u change UID (use -o for duplicates) -g change primary GID -G set secondary groups (replace existing) -a -G append secondary groups -d change home directory (use -m to move contents) -s change login shell -c change comment -L / -U lock/unlock password -e set account expiration date -f set password inactivity period before account disable

vipw / vigr

Safe editors for /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow, ensuring file consistency.

Other Useful Commands

finger

– display user info (may need installation on newer CentOS). id – show UID/GID and group membership. users – list currently logged‑in usernames. last – show recent login sessions from /var/log/wtmp. lastb – show failed login attempts from /var/log/btmp. who and w – display who is logged in and what they are doing. lastlog – report the most recent login of each user.

Manual User Creation Workflow

Add the user’s primary group (and any secondary groups) to /etc/group.

Append a line to /etc/passwd with the user’s details and to /etc/shadow with a placeholder password (e.g., !!).

Create the home directory, copy skeleton files from /etc/skel, and set correct ownership and permissions ( chmod 700 for privacy).

Generate a password hash (e.g., with openssl passwd -1 -salt SALT password) and replace the placeholder in /etc/shadow, or use passwd --stdin to set it interactively.

Following these guidelines ensures consistent, secure user and group management on Linux systems.