Managing User Accounts and Groups in Linux: A Practical Guide
Core Concepts of Users and Groups
A user in Linux is identified by a username and authenticated via a password. Groups act as containers for users, enabling collective permission management. Users fall into distinct categories:
- Administrators (root) and Regular Users
- System Users: Created to run background services or daemons with non-administrative privileges. They typically never log in interactively.
- Regular Users split into system users and interactive (login) users.
Every user has a numeric identifier, the UID:
| Category | UID Range (CentOS 6) | UID Range (CentOS 7) |
|---|---|---|
| Administrator (root) | 0 | 0 |
| System Users | 1–499 | 1–999 |
| Login Users | 500–60000 | 1000–60000 |
Usernames are resolved to UIDs through /etc/passwd.
Groups are identified by a GID:
| Category | GID Range (CentOS 6) | GID Range (CentOS 7) |
|---|---|---|
| Administrator Group | 0 | 0 |
| System Groups | 1–499 | 1–999 |
| Login Groups | 500–60000 | 1000–60000 |
Group names map to GIDs via /etc/group.
A user can belong to:
- A primary group (defined in
/etc/passwd) - One or more supplementary groups (defined in
/etc/group)
Groups can also be:
- Private: Group name matches the username and contains only that user.
- Public: Shared by multiple users.
Authentication and Password Security
Authentication verifies provided credentials against stored data. Password hashes reside in /etc/shadow (for users) and /etc/gshadow (for groups).
Best practices for passwords:
- Use randomly generated strings.
- Enforce a minimum length of 8 characters.
- Require at least three character classes: uppercase, lowercase, digits, and punctuation.
- Schedule periodic changes.
Common encryption and hashing techniques:
- Symmetric Encryption: Same key for encryption and decryption.
- Asymmetric Encryption: Key pair (public and private).
- One-Way Hash Functions: Extract a data fingerprint. Algorithms include MD5 (128-bit) and the SHA family (SHA-1 160-bit, SHA-256, SHA-512, etc.). A random
saltis added to hash calculations to strengthen security.
Key Configuration Files:
/etc/passwd: Format isname:password:UID:GID:GECOS:directory:shell. The password field is usually 'x', meaning the actual hash is in/etc/shadow./etc/shadow: Format isusername:encrypted_password:last_change:min_days:max_days:warn_days:inactive_days:reserved./etc/group: Format isgroup_name:password:GID:user_list, whereuser_listcontains members who have this group as a supplementary group.
Security Context
When a process runs, it inherits the permissions of the user who launched it. A process's ability to access files is determined by the file's permissions and the identity of the process owner.
Managing Groups
Create a group:
groupadd [options] group_name
-g GID: Assign a specific GID.-r: Make it a system group.
Example:
sudo groupadd zhangbiao
Inspect the new group entry:
tail -n 1 /etc/group
Modify a group:
groupmod [options] GROUP
-g GID: Change the GID.-n new_name: Rename the group.
sudo groupmod zhangbiao -n zhangtao
Delete a group:
sudo groupdel zhangtao
Managing Users
Creating a new user:
useradd [options] login_name
-u UID: Specify the user ID.-g GROUP: Set the primary group (must exist).-G GROUPS: Add to supplementary groups (comma-separated).-c "COMMENT": Add a GECOS comment.-d PATH: Set the home directory. Skeleton files are copied from/etc/skelunless the directory exists.-s SHELL: Assign a default shell (valid shells in/etc/shells).-r: Create a system user.-M: Do not create a home directory.
Modifying a user:
usermod [options] login_name
-u UID,-g GROUP: Change ID or primary group.-G GROUPS: Replace the entire list of supplementary groups. Use-aGto append without losing existing groups.-d PATH [-m]: Change the home directory;-mmoves existing home contents.-l NEW_NAME: Change the login name.-L/-U: Lock or unlock the user's password.-s SHELL: Change the default shell.
Delete a user:
userdel [options] login_name
-r: Also remove the home directory and mail spool.
Password Operations
The passwd command manages passwords.
- Set your own password:
passwd - Root sets another's password:
sudo passwd username - Lock/unlock:
-l,-u - Delete password:
-d - Set expiry and lifetime rules:
-e DATE,-i DAYS,-n DAYS,-x DAYS,-w DAYS
A non-interactive password update using --stdin:
echo "newSecret123" | sudo passwd --stdin zhangbiao
For group passwords, use gpasswd:
gpasswd [options] group
-a USER: Add a user to the group.-d USER: Remove a user from the group.
Users can temporarily switch their effective primary group with newgrp.
newgrp mysql
# Now creating a file uses the new primary group
touch new_file.txt
exit # Return to original primary group
Use chage to fine-tune password expiration:
chage -d,-E,-W,-m,-Mlogin_name
Identifying User and Group Membership
The id command shows real and effective UID/GIDs.
id # Current user's info
id root # Root's info
id -u # Only effective UID
id -g # Only primary GID
id -G # All GIDs
id -nG # Show group names instead of IDs
Switching Users
The su (switch user) command allows context switching:
- Login shell:
su - usernameorsu -l username. Initializes environment as if the user logged in direct, changing to their home directory. - Non-login shell:
su username. Spawns a shell without a full environment reset, keeping the current directory.
Root can switch to any account without a password. Execute a single command as another user with -c:
su -c 'whoami' mysql
File System Permission Model
When a process attempts to access a file, the kernel checks:
- Does the file's owner UID match the process's UID? If yes, owner permissions apply.
- Otherwise, does the file's group GID match one of the proces's GIDs? If yes, group permissions apply.
- Otherwise, 'other' permissions apply.
View permissions with ls -l. The rwxrwxrwx string represents rights for owner, group, and other.
Permissions on Files:
r: Read the file's data.w: Modify the file's data.x: Execute the file as a program.
Permissions on Directories:
r: List the directory's contents (ls).w: Modify the directory's contents (create/delete files).x: Enter the directory (cd) and access metadata of its contents (ls -l).
Modifying Permissions with chmod
The chmod command alters file/directory modes. A user can only change permissions on files they own.
Symbolic Mode:
Target users: u (owner), g (group), o (other), a (all).
- Assign specific permissions:
chmod u=rwx test.txt - Alter individual permissions with
+or-:chmod u-x test.txt
Octal Mode:
Each permission set is a 3-bit value: r=4, w=2, x=1.
chmod 777 test.txt # Grants rwx to everyone
Reference Mode: Copy permissions from a source file.
chmod --reference=source.txt target.txt
Managing File Ownership
The chown command changes owner (and optionally group).
chown user:group file-R: Apply recursively to a directory.
Only the superuser can change a file's owner. The group can be changed by the owner if they are a member of the target group.
sudo chown roo:roo test.txt # Change owner and group
sudo chgrp root test.txt # Change group only
The install Command
The install utility copies files while setting attributes (often used in scripts).
Common options:
-m MODE: Set permissions (default 755).-o OWNER: Set owner.-g GROUP: Set group.-d PATH: Create directories.
Copy a single file:
sudo install -m 640 -o www-data -g developers app.conf /etc/myapp/
Copy multiple source files into a target directory:
install zhang/* ./
Create a new directory:
install -d /opt/new_project
Creating Secure Temporary Files
The mktemp comand creates unique temporary files or directories within /tmp or a specified location. It respects umask but ensures the file is readable/writable only by its owner.
# Create a temporary file with a random 3-character suffix
mktemp myapp.XXX
# Create a temporary directory
mktemp -d /tmp/myapp.bak.XXXX
The full path of the created item is printed to stdout, making it ideal for variable assignment in scripts.
