User_management
Chapter 6: User Management Commands
Section titled “Chapter 6: User Management Commands”Comprehensive Linux User Account Management
Section titled “Comprehensive Linux User Account Management”6.1 User Account Concepts
Section titled “6.1 User Account Concepts”User Types in Linux
Section titled “User Types in Linux”┌────────────────────────────────────────────────────────────────────────┐│ USER TYPES IN LINUX │├────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ USERS │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ┌──────────────────────┼──────────────────────┐ ││ │ │ │ ││ ▼ ▼ ▼ ││ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ││ │ ROOT │ │ SYSTEM │ │ REGULAR │ ││ │ USER │ │ USERS │ │ USERS │ ││ ├─────────────┤ ├─────────────┤ ├─────────────┤ ││ │ UID: 0 │ │ UID: 1-999 │ │ UID: 1000+ │ ││ │ │ │ │ │ │ ││ │ Full system │ │ Services & │ │ Interactive │ ││ │ control │ │ daemons │ │ accounts │ ││ │ │ │ │ │ │ ││ │ root user │ │ bin, daemon,│ │ Human users │ ││ │ │ │ sys, mail │ │ │ ││ └─────────────┘ └─────────────┘ └─────────────┘ ││ ││ System users (UID 1-999): ││ - Used by system services ││ - Usually no login shell ││ - Limited file system access ││ - Often use /sbin/nologin or /usr/sbin/nologin ││ ││ Regular users (UID 1000+): ││ - Interactive user accounts ││ - Home directory in /home ││ - Login shell (/bin/bash, /bin/zsh) ││ - Can use sudo for elevated privileges ││ │└────────────────────────────────────────────────────────────────────────┘User Database Files
Section titled “User Database Files”┌────────────────────────────────────────────────────────────────────────┐│ USER DATABASE FILES │├────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────┬────────────────────────────────────────────────┐ ││ │ File │ Description │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/passwd │ User account information │ ││ │ │ (readable by all) │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/shadow │ Encrypted passwords (root only) │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/group │ Group information │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/gshadow│ Group passwords (rarely used) │ ││ └─────────────┴────────────────────────────────────────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘passwd File Format
Section titled “passwd File Format”┌────────────────────────────────────────────────────────────────────────┐│ PASSWD FILE FORMAT │├────────────────────────────────────────────────────────────────────────┤│ ││ username:password:UID:GID:GECOS:home_directory:shell ││ ││ Example: ││ ┌──────────┬────┬─────┬─────┬────────────────┬──────────┬──────────┐ ││ │ username │pass│ UID │ GID │ GECOS │ home │ shell │ ││ │ │wd │ │ │ │ dir │ │ ││ ├──────────┼────┼─────┼─────┼────────────────┼──────────┼──────────┤ ││ │ root │x │ 0 │ 0 │ root │ /root │ /bin/bash│ ││ │ daemon │x │ 1 │ 1 │ daemon │ /usr/sbin│ /sbin/nol│ ││ │ john │x │1000 │1000 │ John Doe │ /home/jhn│ /bin/bash│ ││ │ mysql │x │ 999 │ 999 │ MySQL Server │ /var/lib│ /sbin/nol│ ││ └──────────┴────┴─────┴─────┴────────────────┴──────────┴──────────┘ ││ ││ Field Descriptions: ││ - username: Login name ││ - password: 'x' means password in /etc/shadow ││ - UID: User ID number ││ - GID: Primary group ID ││ - GECOS: Full name, contact info (comma-separated) ││ - home_dir: User's home directory ││ - shell: Login shell ││ │└────────────────────────────────────────────────────────────────────────┘shadow File Format
Section titled “shadow File Format”┌────────────────────────────────────────────────────────────────────────┐│ SHADOW FILE FORMAT │├────────────────────────────────────────────────────────────────────────┤│ ││ username:password:last_change:min_age:max_age:warn:inactive:expire ││ ││ Example: ││ ┌──────────┬───────────────────────────────────────────┐ ││ │ username │password │ ││ ├──────────┼───────────────────────────────────────────┤ ││ │ root │$6$xyz... (locked) │ ││ │ john │$6$abc...:19234:0:99999:7:: │ ││ │ mysql │!! (no password set) │ ││ └──────────┴───────────────────────────────────────────┘ ││ ││ Field Descriptions: ││ - password: Encrypted password or '!' or '!!' (locked/empty) ││ - last_change: Days since Jan 1, 1970 since last change ││ - min_age: Days before password can be changed ││ - max_age: Days before password must be changed ││ - warn: Days before expiry user is warned ││ - inactive: Days after expiry before account disabled ││ - expire: Days since Jan 1, 1970 when account expires ││ ││ Password prefixes: ││ - $1$ - MD5 ││ - $2a$ - Blowfish ││ - $5$ - SHA-256 ││ - $6$ - SHA-512 (default) ││ - ! - Account locked ││ - !! - Password never set ││ - * - No login allowed ││ │└────────────────────────────────────────────────────────────────────────┘6.2 Creating Users
Section titled “6.2 Creating Users”useradd Command
Section titled “useradd Command”# Basic user creation (minimal)sudo useradd username
# Create with home directorysudo useradd -m username
# Create with specific UIDsudo useradd -u 1500 username
# Create with specific shellsudo useradd -s /bin/zsh username
# Create with custom home directorysudo useradd -d /custom/home username
# Create with comment/GECOSsudo useradd -c "John Doe" username
# Create with expiration datesudo useradd -e 2024-12-31 username
# Create with specific primary groupsudo useradd -g developers username
# Create with supplementary groupssudo useradd -G wheel,sudo username
# Combine all options (full example)sudo useradd -m \ -s /bin/bash \ -c "John Doe,Systems Admin,555-1234" \ -u 1000 \ -g developers \ -G wheel,docker \ -e 2024-12-31 \ -f 30 \ johnuseradd Default Settings
Section titled “useradd Default Settings”# View default useradd settingsuseradd -D
# Example output:# GROUP=100# HOME=/home# INACTIVE=-1# EXPIRE=# SHELL=/bin/bash# SKEL=/etc/skel# CREATE_MAIL_SPOOL=yes
# Modify defaultssudo useradd -D -s /bin/zshsudo useradd -D -e 2025-01-01sudo useradd -D -f 14
# Set default password policysudo chage -d 0 username # Force password change on first loginInteractive User Creation
Section titled “Interactive User Creation”# Using adduser (Debian/Ubuntu - interactive)sudo adduser username# Creates user, home dir, sets up files from /etc/skel
# Using adduser with optionssudo adduser --home /custom/home --shell /bin/bash john
# Using front-end (Fedora/RHEL)sudo userinteractive username
# Using Arch Linux (manual steps)sudo useradd -m johnsudo passwd johnCreating System Users
Section titled “Creating System Users”# Create system user (no home, no login)sudo useradd -r -s /sbin/nologin mysql
# System user with home (for running services)sudo useradd -r -s /sbin/nologin \ -d /var/lib/mysql \ -c "MySQL Server" \ mysql
# Create user for applicationsudo useradd -r -d /opt/myapp -s /sbin/nologin myapp
# Options for system users:# -r : Create system account# -s : Login shell (/sbin/nologin)# -d : Home directory# -M : Don't create home directory# -N : Don't create user group# -g : Specify primary group6.3 Modifying Users
Section titled “6.3 Modifying Users”usermod Command
Section titled “usermod Command”# Change usernamesudo usermod -l newname oldname
# Change home directory (without moving)sudo usermod -d /new/home username
# Change home directory (move contents)sudo usermod -d /new/home -m username
# Change shellsudo usermod -s /bin/zsh username
# Change UIDsudo usermod -u 2000 username
# Change primary groupsudo usermod -g developers username
# Set specific supplementary groupssudo usermod -G wheel,sudo,docker username
# Add to supplementary groups (append)sudo usermod -aG wheel,sudo username
# Remove from all supplementary groupssudo usermod -G "" username
# Lock accountsudo usermod -L username
# Unlock accountsudo usermod -U username
# Set expiration datesudo usermod -e 2024-12-31 username
# Remove expirationsudo usermod -e "" username
# Set inactive days after password expiressudo usermod -f 30 username
# Change GECOSsudo usermod -c "New Name,New Title,555-5678" usernameusermod Examples
Section titled “usermod Examples”# Migrate user to new home directorysudo usermod -d /home/newjohn -m -l johnjohn john
# Convert regular user to system usersudo usermod -r -s /sbin/nologin username
# Add user to multiple groupssudo usermod -aG docker,nginx,redis john
# Lock account after suspicious activitysudo usermod -L -e 2024-01-01 john
# Change user's default groupsudo usermod -g developers johnModifying User Properties
Section titled “Modifying User Properties”# Change user's comment (GECOS)chfn -f "John Doe" john# Or usesudo usermod -c "John Doe" john
# View finger infofinger john
# Change login name (username)sudo usermod -l newname oldname# Note: This doesn't change home directory
# Migrate user's files after renamesudo usermod -d /home/newname -m -l newname oldname6.4 Deleting Users
Section titled “6.4 Deleting Users”userdel Command
Section titled “userdel Command”# Basic user deletionsudo userdel username
# Delete with home directory and mail spoolsudo userdel -r username
# Force deletion (even if logged in)sudo userdel -f username
# Remove all files (even if not in usual locations)sudo userdel -rf usernameDeletion Best Practices
Section titled “Deletion Best Practices”# Before deleting user:# 1. Check for running processesps -U username
# 2. Kill any running processessudo pkill -u username
# 3. Backup user's filessudo tar -czf /backup/username-home.tar.gz /home/username
# 4. Check for cron jobssudo crontab -u username -l
# 5. Check for print jobslpstat -u username
# 6. Check maills /var/mail/usernamels /var/spool/mail/username
# 7. Delete usersudo userdel -r username
# 8. Remove from sudo groupsudo deluser username sudo
# 9. Remove crontabsudo crontab -r -u username6.5 Managing Passwords
Section titled “6.5 Managing Passwords”passwd Command
Section titled “passwd Command”# Change own passwordpasswd
# Change another user's password (as root)sudo passwd username
# Delete password (no password)sudo passwd -d username
# Lock accountsudo passwd -l username
# Unlock accountsudo passwd -u username
# Set password expirationsudo passwd -e username # Force change on next login
# View password statuspasswd -S username
# Example output:# username P 01/01/2024 0 99999 7 -1# P = password set# L = locked# NP = no passwordPassword Aging
Section titled “Password Aging”# Set password aging with chagesudo chage -l username # View current settingssudo chage -m 5 username # Minimum days between changessudo chage -M 90 username # Maximum days until expirysudo chage -W 7 username # Warning days before expirysudo chage -I 14 username # Days after expiry before locksudo chage -E 2024-12-31 username # Account expiry date
# Set to never expiresudo chage -M -1 username
# Force password change on next loginsudo chage -d 0 usernamePassword Quality
Section titled “Password Quality”# Install password quality checkersudo apt-get install libpam-pwquality
# Configure password requirements# /etc/security/pwquality.conf
# minlen = minimum password lengthminlen = 12
# dcredit = digits requirementdcredit = -1 # At least 1 digit
# ucredit = uppercase requirementucredit = -1 # At least 1 uppercase
# lcredit = lowercase requirementlcredit = -1 # At least 1 lowercase
# ocredit = special character requirementocredit = -1 # At least 1 special
# maxclassrepeat = max same character repeatsmaxclassrepeat = 3
# dictcheck = dictionary checkdictcheck = 16.6 User Information Commands
Section titled “6.6 User Information Commands”id Command
Section titled “id Command”# View own ID infoid
# View specific user's IDid username
# Output example:# uid=1000(john) gid=1000(john) groups=1000(john),10(wheel),993(docker)
# View only UIDid -u
# View only GIDid -g
# View all groupsid -G
# View usernameid -un
# Numeric onlyid -nuwho and w Commands
Section titled “who and w Commands”# Show who is logged inwho
# Show with headerwho -H
# Show all entrieswho -a
# Show last loginwho -b
# Show login processeswho -l
# Show users + process infow
# Show w without headerw -h
# Show specific userw usernamelast Command
Section titled “last Command”# Show recent loginslast
# Show last 10 entrieslast -10
# Show specific userlast username
# Show rebootslast reboot
# Show shutdownslast shutdown
# Show failed loginslastb6.7 User Environment
Section titled “6.7 User Environment”Default Files
Section titled “Default Files”┌────────────────────────────────────────────────────────────────────────┐│ USER ENVIRONMENT SETUP │├────────────────────────────────────────────────────────────────────────┤│ ││ When user is created with -m: ││ ││ /etc/skel/ is copied to user's home: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ /etc/skel/ │ ││ │ ├── .bashrc - Bash configuration │ ││ │ ├── .bash_profile - Login bash config │ ││ │ ├── .profile - POSIX login config │ ││ │ ├── .bash_logout - Cleanup on logout │ ││ │ ├── .gitconfig - Git configuration │ ││ │ └── .vimrc - Vim configuration │ ││ └─────────────────────────────────────────────────────────────┘ ││ ││ User can customize: ││ - ~/.bashrc (non-login shell) ││ - ~/.bash_profile or ~/.profile (login shell) ││ - ~/.inputrc (readline) ││ - ~/.vimrc (vim) ││ │└────────────────────────────────────────────────────────────────────────┘Environment Variables
Section titled “Environment Variables”# View all environment variablesenv
# View user-specific variablesprintenv HOMEprintenv USERprintenv SHELLprintenv PATH
# Set environment variable for sessionexport VAR=value
# Set for all sessionsecho "export VAR=value" >> ~/.bashrc6.8 LDAP/AD Integration
Section titled “6.8 LDAP/AD Integration”System Security Services Daemon (SSSD)
Section titled “System Security Services Daemon (SSSD)”# Install SSSDsudo apt-get install sssd realmd oddjob oddjob-mkhomedir
# Join to Active Directorysudo realm join -U admin@DOMAIN.COM domain.com
# Configure SSSD# /etc/sssd/sssd.conf
[sssd]services = nss, pamconfig_file_version = 2domains = DOMAIN.COM
[domain/DOMAIN.COM]id_provider = adaccess_provider = addefault_shell = /bin/bashfallback_homedir = /home/%u
# Restart servicesudo systemctl restart sssdLDAP Client Configuration
Section titled “LDAP Client Configuration”# Install LDAP clientsudo apt-get install libpam-ldapd nslcd
# Configure /etc/nslcd.confuri ldap://ldap.example.combase dc=example,dc=combinddn cn=proxyuser,dc=example,dc=combindpw secret
# Configure PAMsudo auth-client-config -t nss -p lac_ldap6.9 Troubleshooting
Section titled “6.9 Troubleshooting”Common Issues
Section titled “Common Issues”# User cannot login# Check: password set, account not locked, shell existssudo passwd -S usernamegrep username /etc/shadowls -l /bin/bash
# User gets "User not known to underlying authentication module"sudo pwconvsudo grpconv
# Home directory missingsudo mkdir -m 755 /home/usernamesudo chown username:username /home/usernamesudo cp -r /etc/skel/. /home/username/
# Permission issuessudo chown -R username:username /home/username
# Cannot create user# Check UID range availabletail -1 /etc/passwd
# Account locked after failed attemptssudo pam_tally2 --user username --resetDebugging Commands
Section titled “Debugging Commands”# Check user existsgetent passwd username
# Check passwordgetent shadow username
# Check groupsgetent group groupname
# Check user processesps -U username
# Check user filesfind / -user username 2>/dev/null
# Check crontabssudo crontab -u username -l
# Check at jobsatq -u username
# Check print jobslpstat -u username6.10 Interview Questions
Section titled “6.10 Interview Questions”Q1: What is the difference between system users and regular users?
Section titled “Q1: What is the difference between system users and regular users?”Answer:
- System users (UID 1-999): Used for system services and daemons. Usually don’t have login shells (/sbin/nologin), no home directory, or minimal access. Created with
useradd -r. - Regular users (UID 1000+): Interactive accounts for humans. Have login shells, home directories in /home, can use sudo for elevated privileges.
Q2: What is the purpose of /etc/shadow file?
Section titled “Q2: What is the purpose of /etc/shadow file?”Answer: The /etc/shadow file stores encrypted passwords and password aging information. It’s readable only by root for security. Each line contains: username, encrypted password, last change date, min/max age, warning period, inactivity period, and expiry date.
This separation from /etc/passwd improves security because:
- Regular users can’t read passwords
- Password aging policies can be enforced
- Account lockout features work properly
Q3: How do you lock and unlock a user account?
Section titled “Q3: How do you lock and unlock a user account?”Answer:
# Lock account (prefix password with !)sudo passwd -l username# orsudo usermod -L username
# Unlock account (remove ! prefix)sudo passwd -u username# orsudo usermod -U username
# View lock statuspasswd -S usernameQ4: What happens when you delete a user without -r flag?
Section titled “Q4: What happens when you delete a user without -r flag?”Answer: The user’s account is removed but:
- Home directory remains
- Mail spool remains
- Files owned by user remain (become orphaned)
Use find to find and handle orphaned files:
find / -user UID -lsQ5: How do you force a user to change password on next login?
Section titled “Q5: How do you force a user to change password on next login?”Answer:
# Set password age to 0 (expired)sudo chage -d 0 username
# Orsudo passwd -e username
# Verifysudo chage -l usernameQ6: What is the difference between userdel and deluser?
Section titled “Q6: What is the difference between userdel and deluser?”Answer:
userdel- Low-level command, minimal safety checksdeluser- Higher-level Perl script (Debian/Ubuntu), safer with more options- Can remove home directory
- Can remove all files
- Can backup before removing
Quick Reference
Section titled “Quick Reference”Commands
Section titled “Commands”# Create useruseradd -m -s /bin/bash -c "Name" -u 1000 -G group user
# Modify userusermod -aG group userusermod -L userusermod -e 2024-12-31 user
# Delete useruserdel -r user
# Password managementpasswd userpasswd -l userpasswd -e user
# User infoid userwhofinger user
# Password agingchage -l user| File | Purpose |
|---|---|
| /etc/passwd | User account info |
| /etc/shadow | Passwords & aging |
| /etc/group | Group info |
| /etc/skel/ | Default user files |
| /etc/default/useradd | Default settings |
UID Ranges
Section titled “UID Ranges”| Range | Type |
|---|---|
| 0 | Root |
| 1-99 | System |
| 100-999 | System (dynamic) |
| 1000+ | Regular users |
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ User account concepts and types
- ✅ User database files (passwd, shadow)
- ✅ Creating users with useradd
- ✅ Modifying users with usermod
- ✅ Deleting users
- ✅ Managing passwords
- ✅ Password aging policies
- ✅ User information commands
- ✅ User environment setup
- ✅ Troubleshooting user issues
- ✅ Interview questions and answers
Next Chapter
Section titled “Next Chapter”Last Updated: February 2026