User Management
Chapter 6: User Management Commands
Section titled “Chapter 6: User Management Commands”Comprehensive Linux User Account Management
Section titled “Comprehensive Linux User Account Management”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”User management is critical for access control, security, and compliance in any production environment:
User Management for DevOps/SRE+------------------------------------------------------------------+| || Security & Compliance: || +----------------------------------------------------------+ || | Principle of Least Privilege → Minimal access | || | Audit trails → Who did what, when | || | Password policies → Complexity, rotation | || | SSH keys → Key-based authentication | || +----------------------------------------------------------+ || || Automation & DevOps: || +----------------------------------------------------------+ || | LDAP/AD integration → Centralized auth | || | SSO → Single Sign-On for applications | || | Service accounts → App-to-app authentication | || | sudo policies → Delegated admin access | || +----------------------------------------------------------+ || || Incident Response: || +----------------------------------------------------------+ || | Quick user disable → Terminate access immediately | || | Password reset → Emergency access recovery | || | Audit logs → Investigate security incidents | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Practical Impact:
- Implement least privilege access in production
- Manage service accounts for automation (CI/CD, APIs)
- Respond to security incidents by quickly disabling users
- Comply with SOX, HIPAA, PCI-DSS requirements
6.1 User Account Concepts
Section titled “6.1 User Account Concepts”User Types in Linux
Section titled “User Types in Linux”┌────────────────────────────────────────────────────────────────────────┐│ USER TYPES IN LINUX │├────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ USERS │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │ ││ ┌──────────────────────┼──────────────────────┐ ││ │ │ │ ││ ▼ ▼ ▼ ││ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ││ │ ROOT │ │ SYSTEM │ │ REGULAR │ ││ │ USER │ │ USERS │ │ USERS │ ││ ├─────────────┤ ├─────────────┤ ├─────────────┤ ││ │ UID: 0 │ │ UID: 1-999 │ │ UID: 1000+ │ ││ │ │ │ │ │ │ ││ │ Full system │ │ Services & │ │ Interactive │ ││ │ control │ │ daemons │ │ accounts │ ││ │ │ │ │ │ │ ││ │ root user │ │ bin, daemon,│ │ Human users │ ││ │ │ │ sys, mail │ │ │ ││ └─────────────┘ └─────────────┘ └─────────────┘ ││ ││ System users (UID 1-999): ││ - Used by system services ││ - Usually no login shell ││ - Limited file system access ││ - Often use /sbin/nologin or /usr/sbin/nologin ││ ││ Regular users (UID 1000+): ││ - Interactive user accounts ││ - Home directory in /home ││ - Login shell (/bin/bash, /bin/zsh) ││ - Can use sudo for elevated privileges ││ │└────────────────────────────────────────────────────────────────────────┘User Database Files
Section titled “User Database Files”┌────────────────────────────────────────────────────────────────────────┐│ USER DATABASE FILES │├────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────┬────────────────────────────────────────────────┐ ││ │ File │ Description │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/passwd │ User account information │ ││ │ │ (readable by all) │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/shadow │ Encrypted passwords (root only) │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/group │ Group information │ ││ ├─────────────┼────────────────────────────────────────────────┤ ││ │ /etc/gshadow│ Group passwords (rarely used) │ ││ └─────────────┴────────────────────────────────────────────────┘ ││ │└────────────────────────────────────────────────────────────────────────┘passwd File Format
Section titled “passwd File Format”┌────────────────────────────────────────────────────────────────────────┐│ PASSWD FILE FORMAT │├────────────────────────────────────────────────────────────────────────┤│ ││ username:password:UID:GID:GECOS:home_directory:shell ││ ││ Example: ││ ┌──────────┬────┬─────┬─────┬────────────────┬──────────┬──────────┐ ││ │ username │pass│ UID │ GID │ GECOS │ home │ shell │ ││ │ │wd │ │ │ │ dir │ │ ││ ├──────────┼────┼─────┼─────┼────────────────┼──────────┼──────────┤ ││ │ root │x │ 0 │ 0 │ root │ /root │ /bin/bash│ ││ │ daemon │x │ 1 │ 1 │ daemon │ /usr/sbin│ /sbin/nol│ ││ │ john │x │1000 │1000 │ John Doe │ /home/jhn│ /bin/bash│ ││ │ mysql │x │ 999 │ 999 │ MySQL Server │ /var/lib│ /sbin/nol│ ││ └──────────┴────┴─────┴─────┴────────────────┴──────────┴──────────┘ ││ ││ Field Descriptions: ││ - username: Login name ││ - password: 'x' means password in /etc/shadow ││ - UID: User ID number ││ - GID: Primary group ID ││ - GECOS: Full name, contact info (comma-separated) ││ - home_dir: User's home directory ││ - shell: Login shell ││ │└────────────────────────────────────────────────────────────────────────┘shadow File Format
Section titled “shadow File Format”┌────────────────────────────────────────────────────────────────────────┐│ SHADOW FILE FORMAT │├────────────────────────────────────────────────────────────────────────┤│ ││ username:password:last_change:min_age:max_age:warn:inactive:expire ││ ││ Example: ││ ┌──────────┬───────────────────────────────────────────┐ ││ │ username │password │ ││ ├──────────┼───────────────────────────────────────────┤ ││ │ root │$6$xyz... (locked) │ ││ │ john │$6$abc...:19234:0:99999:7:: │ ││ │ mysql │!! (no password set) │ ││ └──────────┴───────────────────────────────────────────┘ ││ ││ Field Descriptions: ││ - password: Encrypted password or '!' or '!!' (locked/empty) ││ - last_change: Days since Jan 1, 1970 since last change ││ - min_age: Days before password can be changed ││ - max_age: Days before password must be changed ││ - warn: Days before expiry user is warned ││ - inactive: Days after expiry before account disabled ││ - expire: Days since Jan 1, 1970 when account expires ││ ││ Password prefixes: ││ - $1$ - MD5 ││ - $2a$ - Blowfish ││ - $5$ - SHA-256 ││ - $6$ - SHA-512 (default) ││ - ! - Account locked ││ - !! - Password never set ││ - * - No login allowed ││ │└────────────────────────────────────────────────────────────────────────┘6.2 Creating Users
Section titled “6.2 Creating Users”useradd Command
Section titled “useradd Command”# Basic user creation (minimal)sudo useradd username
# Create with home directorysudo useradd -m username
# Create with specific UIDsudo useradd -u 1500 username
# Create with specific shellsudo useradd -s /bin/zsh username
# Create with custom home directorysudo useradd -d /custom/home username
# Create with comment/GECOSsudo useradd -c "John Doe" username
# Create with expiration datesudo useradd -e 2024-12-31 username
# Create with specific primary groupsudo useradd -g developers username
# Create with supplementary groupssudo useradd -G wheel,sudo username
# Combine all options (full example)sudo useradd -m \ -s /bin/bash \ -c "John Doe,Systems Admin,555-1234" \ -u 1000 \ -g developers \ -G wheel,docker \ -e 2024-12-31 \ -f 30 \ johnuseradd Default Settings
Section titled “useradd Default Settings”# View default useradd settingsuseradd -D
# Example output:# GROUP=100# HOME=/home# INACTIVE=-1# EXPIRE=# SHELL=/bin/bash# SKEL=/etc/skel# CREATE_MAIL_SPOOL=yes
# Modify defaultssudo useradd -D -s /bin/zshsudo useradd -D -e 2025-01-01sudo useradd -D -f 14
# Set default password policysudo chage -d 0 username # Force password change on first loginInteractive User Creation
Section titled “Interactive User Creation”# Using adduser (Debian/Ubuntu - interactive)sudo adduser username# Creates user, home dir, sets up files from /etc/skel
# Using adduser with optionssudo adduser --home /custom/home --shell /bin/bash john
# Using front-end (Fedora/RHEL)sudo userinteractive username
# Using Arch Linux (manual steps)sudo useradd -m johnsudo passwd johnCreating System Users
Section titled “Creating System Users”# Create system user (no home, no login)sudo useradd -r -s /sbin/nologin mysql
# System user with home (for running services)sudo useradd -r -s /sbin/nologin \ -d /var/lib/mysql \ -c "MySQL Server" \ mysql
# Create user for applicationsudo useradd -r -d /opt/myapp -s /sbin/nologin myapp
# Options for system users:# -r : Create system account# -s : Login shell (/sbin/nologin)# -d : Home directory# -M : Don't create home directory# -N : Don't create user group# -g : Specify primary group6.3 Modifying Users
Section titled “6.3 Modifying Users”usermod Command
Section titled “usermod Command”# Change usernamesudo usermod -l newname oldname
# Change home directory (without moving)sudo usermod -d /new/home username
# Change home directory (move contents)sudo usermod -d /new/home -m username
# Change shellsudo usermod -s /bin/zsh username
# Change UIDsudo usermod -u 2000 username
# Change primary groupsudo usermod -g developers username
# Set specific supplementary groupssudo usermod -G wheel,sudo,docker username
# Add to supplementary groups (append)sudo usermod -aG wheel,sudo username
# Remove from all supplementary groupssudo usermod -G "" username
# Lock accountsudo usermod -L username
# Unlock accountsudo usermod -U username
# Set expiration datesudo usermod -e 2024-12-31 username
# Remove expirationsudo usermod -e "" username
# Set inactive days after password expiressudo usermod -f 30 username
# Change GECOSsudo usermod -c "New Name,New Title,555-5678" usernameusermod Examples
Section titled “usermod Examples”# Migrate user to new home directorysudo usermod -d /home/newjohn -m -l johnjohn john
# Convert regular user to system usersudo usermod -r -s /sbin/nologin username
# Add user to multiple groupssudo usermod -aG docker,nginx,redis john
# Lock account after suspicious activitysudo usermod -L -e 2024-01-01 john
# Change user's default groupsudo usermod -g developers johnModifying User Properties
Section titled “Modifying User Properties”# Change user's comment (GECOS)chfn -f "John Doe" john# Or usesudo usermod -c "John Doe" john
# View finger infofinger john
# Change login name (username)sudo usermod -l newname oldname# Note: This doesn't change home directory
# Migrate user's files after renamesudo usermod -d /home/newname -m -l newname oldname6.4 Deleting Users
Section titled “6.4 Deleting Users”userdel Command
Section titled “userdel Command”# Basic user deletionsudo userdel username
# Delete with home directory and mail spoolsudo userdel -r username
# Force deletion (even if logged in)sudo userdel -f username
# Remove all files (even if not in usual locations)sudo userdel -rf usernameDeletion Best Practices
Section titled “Deletion Best Practices”# Before deleting user:# 1. Check for running processesps -U username
# 2. Kill any running processessudo pkill -u username
# 3. Backup user's filessudo tar -czf /backup/username-home.tar.gz /home/username
# 4. Check for cron jobssudo crontab -u username -l
# 5. Check for print jobslpstat -u username
# 6. Check maills /var/mail/usernamels /var/spool/mail/username
# 7. Delete usersudo userdel -r username
# 8. Remove from sudo groupsudo deluser username sudo
# 9. Remove crontabsudo crontab -r -u username6.5 Managing Passwords
Section titled “6.5 Managing Passwords”passwd Command
Section titled “passwd Command”# Change own passwordpasswd
# Change another user's password (as root)sudo passwd username
# Delete password (no password)sudo passwd -d username
# Lock accountsudo passwd -l username
# Unlock accountsudo passwd -u username
# Set password expirationsudo passwd -e username # Force change on next login
# View password statuspasswd -S username
# Example output:# username P 01/01/2024 0 99999 7 -1# P = password set# L = locked# NP = no passwordPassword Aging
Section titled “Password Aging”# Set password aging with chagesudo chage -l username # View current settingssudo chage -m 5 username # Minimum days between changessudo chage -M 90 username # Maximum days until expirysudo chage -W 7 username # Warning days before expirysudo chage -I 14 username # Days after expiry before locksudo chage -E 2024-12-31 username # Account expiry date
# Set to never expiresudo chage -M -1 username
# Force password change on next loginsudo chage -d 0 usernamePassword Quality
Section titled “Password Quality”# Install password quality checkersudo apt-get install libpam-pwquality
# Configure password requirements# /etc/security/pwquality.conf
# minlen = minimum password lengthminlen = 12
# dcredit = digits requirementdcredit = -1 # At least 1 digit
# ucredit = uppercase requirementucredit = -1 # At least 1 uppercase
# lcredit = lowercase requirementlcredit = -1 # At least 1 lowercase
# ocredit = special character requirementocredit = -1 # At least 1 special
# maxclassrepeat = max same character repeatsmaxclassrepeat = 3
# dictcheck = dictionary checkdictcheck = 16.6 User Information Commands
Section titled “6.6 User Information Commands”id Command
Section titled “id Command”# View own ID infoid
# View specific user's IDid username
# Output example:# uid=1000(john) gid=1000(john) groups=1000(john),10(wheel),993(docker)
# View only UIDid -u
# View only GIDid -g
# View all groupsid -G
# View usernameid -un
# Numeric onlyid -nuwho and w Commands
Section titled “who and w Commands”# Show who is logged inwho
# Show with headerwho -H
# Show all entrieswho -a
# Show last loginwho -b
# Show login processeswho -l
# Show users + process infow
# Show w without headerw -h
# Show specific userw usernamelast Command
Section titled “last Command”# Show recent loginslast
# Show last 10 entrieslast -10
# Show specific userlast username
# Show rebootslast reboot
# Show shutdownslast shutdown
# Show failed loginslastb6.7 User Environment
Section titled “6.7 User Environment”Default Files
Section titled “Default Files”┌────────────────────────────────────────────────────────────────────────┐│ USER ENVIRONMENT SETUP │├────────────────────────────────────────────────────────────────────────┤│ ││ When user is created with -m: ││ ││ /etc/skel/ is copied to user's home: ││ ┌─────────────────────────────────────────────────────────────┐ ││ │ /etc/skel/ │ ││ │ ├── .bashrc - Bash configuration │ ││ │ ├── .bash_profile - Login bash config │ ││ │ ├── .profile - POSIX login config │ ││ │ ├── .bash_logout - Cleanup on logout │ ││ │ ├── .gitconfig - Git configuration │ ││ │ └── .vimrc - Vim configuration │ ││ └─────────────────────────────────────────────────────────────┘ ││ ││ User can customize: ││ - ~/.bashrc (non-login shell) ││ - ~/.bash_profile or ~/.profile (login shell) ││ - ~/.inputrc (readline) ││ - ~/.vimrc (vim) ││ │└────────────────────────────────────────────────────────────────────────┘Environment Variables
Section titled “Environment Variables”# View all environment variablesenv
# View user-specific variablesprintenv HOMEprintenv USERprintenv SHELLprintenv PATH
# Set environment variable for sessionexport VAR=value
# Set for all sessionsecho "export VAR=value" >> ~/.bashrc6.8 LDAP/AD Integration
Section titled “6.8 LDAP/AD Integration”System Security Services Daemon (SSSD)
Section titled “System Security Services Daemon (SSSD)”# Install SSSDsudo apt-get install sssd realmd oddjob oddjob-mkhomedir
# Join to Active Directorysudo realm join -U admin@DOMAIN.COM domain.com
# Configure SSSD# /etc/sssd/sssd.conf
[sssd]services = nss, pamconfig_file_version = 2domains = DOMAIN.COM
[domain/DOMAIN.COM]id_provider = adaccess_provider = addefault_shell = /bin/bashfallback_homedir = /home/%u
# Restart servicesudo systemctl restart sssdLDAP Client Configuration
Section titled “LDAP Client Configuration”# Install LDAP clientsudo apt-get install libpam-ldapd nslcd
# Configure /etc/nslcd.confuri ldap://ldap.example.combase dc=example,dc=combinddn cn=proxyuser,dc=example,dc=combindpw secret
# Configure PAMsudo auth-client-config -t nss -p lac_ldap6.9 Troubleshooting
Section titled “6.9 Troubleshooting”Common Issues
Section titled “Common Issues”# User cannot login# Check: password set, account not locked, shell existssudo passwd -S usernamegrep username /etc/shadowls -l /bin/bash
# User gets "User not known to underlying authentication module"sudo pwconvsudo grpconv
# Home directory missingsudo mkdir -m 755 /home/usernamesudo chown username:username /home/usernamesudo cp -r /etc/skel/. /home/username/
# Permission issuessudo chown -R username:username /home/username
# Cannot create user# Check UID range availabletail -1 /etc/passwd
# Account locked after failed attemptssudo pam_tally2 --user username --resetDebugging Commands
Section titled “Debugging Commands”# Check user existsgetent passwd username
# Check passwordgetent shadow username
# Check groupsgetent group groupname
# Check user processesps -U username
# Check user filesfind / -user username 2>/dev/null
# Check crontabssudo crontab -u username -l
# Check at jobsatq -u username
# Check print jobslpstat -u username6.10 Interview Questions
Section titled “6.10 Interview Questions”Q1: What is the difference between system users and regular users?
Section titled “Q1: What is the difference between system users and regular users?”Answer:
- System users (UID 1-999): Used for system services and daemons. Usually don’t have login shells (/sbin/nologin), no home directory, or minimal access. Created with
useradd -r. - Regular users (UID 1000+): Interactive accounts for humans. Have login shells, home directories in /home, can use sudo for elevated privileges.
Q2: What is the purpose of /etc/shadow file?
Section titled “Q2: What is the purpose of /etc/shadow file?”Answer: The /etc/shadow file stores encrypted passwords and password aging information. It’s readable only by root for security. Each line contains: username, encrypted password, last change date, min/max age, warning period, inactivity period, and expiry date.
This separation from /etc/passwd improves security because:
- Regular users can’t read passwords
- Password aging policies can be enforced
- Account lockout features work properly
Q3: How do you lock and unlock a user account?
Section titled “Q3: How do you lock and unlock a user account?”Answer:
# Lock account (prefix password with !)sudo passwd -l username# orsudo usermod -L username
# Unlock account (remove ! prefix)sudo passwd -u username# orsudo usermod -U username
# View lock statuspasswd -S usernameQ4: What happens when you delete a user without -r flag?
Section titled “Q4: What happens when you delete a user without -r flag?”Answer: The user’s account is removed but:
- Home directory remains
- Mail spool remains
- Files owned by user remain (become orphaned)
Use find to find and handle orphaned files:
find / -user UID -lsQ5: How do you force a user to change password on next login?
Section titled “Q5: How do you force a user to change password on next login?”Answer:
# Set password age to 0 (expired)sudo chage -d 0 username
# Orsudo passwd -e username
# Verifysudo chage -l usernameQ6: What is the difference between userdel and deluser?
Section titled “Q6: What is the difference between userdel and deluser?”Answer:
userdel- Low-level command, minimal safety checksdeluser- Higher-level Perl script (Debian/Ubuntu), safer with more options- Can remove home directory
- Can remove all files
- Can backup before removing
Quick Reference
Section titled “Quick Reference”Commands
Section titled “Commands”# Create useruseradd -m -s /bin/bash -c "Name" -u 1000 -G group user
# Modify userusermod -aG group userusermod -L userusermod -e 2024-12-31 user
# Delete useruserdel -r user
# Password managementpasswd userpasswd -l userpasswd -e user
# User infoid userwhofinger user
# Password agingchage -l user| File | Purpose |
|---|---|
| /etc/passwd | User account info |
| /etc/shadow | Passwords & aging |
| /etc/group | Group info |
| /etc/skel/ | Default user files |
| /etc/default/useradd | Default settings |
UID Ranges
Section titled “UID Ranges”| Range | Type |
|---|---|
| 0 | Root |
| 1-99 | System |
| 100-999 | System (dynamic) |
| 1000+ | Regular users |
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Using Root for Everything
Section titled “1. Using Root for Everything”# ❌ WRONG: Running everything as rootsudo su - # Always root!service myapp start # As root
# ✅ CORRECT: Use service accountsuseradd -r -s /sbin/nologin myapp # Create service accountchown myapp:myapp /opt/myapp # Set ownershipsystemctl start myapp # Run as service2. Weak Password Policies
Section titled “2. Weak Password Policies”# ❌ WRONG: No password policy enforcement# Users can set weak passwords like "password123"
# ✅ CORRECT: Configure password policies# /etc/login.defs or PAM configurationPASS_MIN_LEN 12PASS_MIN_DAYS 1PASS_MAX_DAYS 90PASS_WARN_AGE 143. Not Managing User Lifecycle
Section titled “3. Not Managing User Lifecycle”# ❌ WRONG: Orphaned accounts remain active# Employee leaves but account still works!
# ✅ CORRECT: Implement lifecycle management# Automated deprovisioning when HR system shows terminationuserdel -r username # Remove user and home# Or use identity management tools4. Improper sudo Access
Section titled “4. Improper sudo Access”# ❌ WRONG: Too much sudo accessusername ALL=(ALL) NOPASSWD: ALL # Can do anything without password!
# ✅ CORRECT: Principle of least privilegeusername ALL=(ALL) /usr/bin/systemctl restart myappusername ALL=(ALL) /usr/bin/nginx, /usr/bin/systemctl nginxSummary
Section titled “Summary”In this chapter, you learned:
- ✅ User account concepts and types
- ✅ User database files (passwd, shadow)
- ✅ Creating users with useradd
- ✅ Modifying users with usermod
- ✅ Deleting users
- ✅ Managing passwords
- ✅ Password aging policies
- ✅ User information commands
- ✅ User environment setup
- ✅ Troubleshooting user issues
- ✅ Interview questions and answers
Next Chapter
Section titled “Next Chapter”Last Updated: February 2026