jump to navigation

Managing users and groups on Linux (creating /deleting) December 4, 2010

Posted by Tournas Dimitrios in Linux.

Managing user accounts and groups is an essential part of system administration within an organization. But to do this effectively, a good system administrator must first understand what user accounts and groups are and how they work. After introducing the reader on the basic commands used to manage user accounts , a practical example will be demonstrated at the end of this article .
The primary reason for user accounts is to verify the identity of each individual using a computer system. A secondary (but still important) reason for user accounts is to permit the per-individual tailoring of resources and access privileges.
Resources can include files, directories, and devices. Controlling access to these resources is a large part of a system administrator’s daily routine; often the access to a resource is controlled by groups.
Groups are logical constructs that can be used to cluster user accounts together for a common purpose.
For example, if an organization has multiple system administrators, they can all be placed in one system administrator group. The group can then be given permission to access key system resources. In this way, groups can be a powerful tool for managing resources and access.

This article outlines the basic commands for :

  • creating and managing users/groups (useradd , groupadd )
  • setting passwords (passwd )
  • password aging  (chage)
  • deleting user accounts

Everything on Linux can be done via the terminal or a gui – interface . Understanding the terminal is a better and more efficient approach to administer your Linux box .

Creating and managing users/groups :

The ultimate command to remeber when creating users from the terminal on Linux is useradd . An alternative command “adduser ” is a symbolic link to useradd .Using useradd is simple. In its easiest form, it just takes the name of a user as its argument;
Thus  ” useradd  user_1 ”  creates a user called user_1  to the system. It is a good idea, however, to use the option  -m  as well, because if you don’t, that user will be without a home directory, which in most cases is useless.Unfortunately , there is no easy way to create that home directory later , so a good habit is to create the home directory at the time the user is created ( useradd with the -m option ) . In most cases , a user should have a home directory because it allosw that person to store files somewhere , and it allows the administrator to put the configuration files for the user somewhere .

Following is a list of the most important options that you can use with useradd :

Useradd most used options
-m Creates a home directory automatically . For instance , if you use this option when creating a user named “user_1” , the home directory that is created is /home/user_1
-g Sets the primary group of a user
-G Makes the user a member of some additonal groups . By default , the user becomes a member of only those groups listed in /etc/defauld/useradd
-e Sets the expiration date for the user. Use this option to automatically disable the user’s account on the specified date . This can be entered in YYYY-MMM-DD format or as the number of days since the Linux epoch (January 1. 1970) .
-c Allows you to enter a comment field to the user account. If this comment
has white spaces or other special characters, make sure that they are in quotations.
Information set this way can be requested with the finger command, and this comment field typically is used for the user’s name. You will notice that for some of the system processes, this field gives a short description of the process that is responsible for the user account.
-p This option can be used to change the password of a user. There is a catch though , the password must be already encrypted by a program that uses the crypt function .This is not typically the way you want to change a password , so use the passwd command instead.

Every created user on Linux can belong to multiple groups , this is important on enterprise level environments , so that files and resources can be shared between specific group of users . Firstly a group must be created before a user can be configured to be a member of that specific group . The command for creating groups is ” groupadd  parents”  , this will create a group with the name “parents”  . For help see man page or do a ” groupadd -h ” .

Working with Default Values for User Management :

When managing users, two configuration files are involved that allow you to specify default settings for users.

  • First is /etc/defaults/useradd, which specifies default values for the useradd command. .As you have seen, a few options come with the useradd command. If an option isn’t specified,  will read its configuration file in /etc/default/useradd  , where it finds some default values such as what groups the user should become a member of and where to create the user’s home directory. To display or modify these default values , ” useradd ” provide us with some options (see table below ) .When using an option with useradd , you will always overwrite the default values .
  • Next is /etc/login.defs  , which is used to specify the default user environment . The /etc/login.defs  file is a configuration file that relates to the user environment but is used only in the background. This file defines some generic settings that determine all kinds of things relating to user login.  This file must exist on every system because you would otherwise experience unexpected behavior.
Display or change the default values of /etc/default/useradd file
useradd   -D Display the default values that are defined in /etc/default/useradd file
useradd -D -b /tmp Set the initial path prefix for a new user’s home directory
useradd -D -e Set the date on which the user’s account is disabled (value in days)
useradd -D -s Set the name of the new user’s login shell
useradd -D -f Set the number of days after a password has expired before the account will be disabled

The useradd command performs several actions behind the scenes :

  • Reads the /etc/login.defs file to get default values to use when creating accounts
  • Checks command-line parameters to find out which default values to override
  • Creates a new user entry in the /etc/passwd and /etc/shadow files based on the default values and the command line parameters
  • Creates any new group entries in the /etc/group file
  • Creates a home directory based on the user’s name and located in the /home directory
  • Copies any files located within the /etc/skel directory to the new home directory .This usually includes login and application startup scripts

Account maintenance with the passwd command :

You need to create passwords for each account . This is done with the passwd command .In an environment in which many users use the same computer, it’s crucial that you perform some basic account maintenance. These tasks include locking accounts when they are unneeded for a longer time, unlocking an account, and reporting password status. Also, an administrator can force a user to change his or her password after logging in for the first time.
To perform these tasks, the passwd command has the following options:

passwd most used options
passwd  -l username Enables an administrator to lock an account
passwd -u username Unlocks a previously locked account
passwd -e username Forces the user to change his or her password upon next login
passwd -S username Reports the status of the password for a given account:
username  PS    2010/12/4    0   9999 7    -1

  • name of the user account
  • Date on which the passwd was set
  • Date after which the password must be changed
  • Days before the password is to expire and user get warned
  • Days after wihich the password expires and account gets locked
password -i xx username Use this option to make an account expire automatically if it hasn’t been used for a given period .The argument of this option specifies the exact duration in days of this period .

Change user password expiry information :

Linux provides us with a handy tool “chage”  to modify the properties of the password for each user separetaly . The table below outlines the most used options for the “chage ” command .

The chage command options
chage -l   userxyz       ( read as EL  option) Show account aging information for   userxyz
chage -E username Set the date or number of days since January 1, 1970 on which the
user’s account will no longer be accessible. The date may also be
expressed in the format YYYY-MM-DD (or the format more commonly used in
your area).
chage -I username    (read as Aee  option) Set the number of days of inactivity after a password has expired
before the account is locked. The INACTIVE option is the number of days
of inactivity. A user whose account is locked must contact the system
administrator before being able to use the system again
chage -m 20  username Set the minimum number of days between password changes to MIN_DAYS. A
value of zero for this field indicates that the user may change his/her
password at any time.
chage -M 20 username Set the maximum number of days during which a password is valid. When
MAX_DAYS plus LAST_DAY is less than the current day, the user will be
required to change his/her password before being able to use his/her
chage -W 5 username Set the number of days of warning before a password change is required.
The WARN_DAYS option is the number of days prior to the password
expiring that a user will be warned his/her password is about to
Please use the man page for more detailed information  ” man chage”

Deleting users from a Linux box :

The userdel command is used to remove the user’s record from the /etc/password  and /etc/shadow files  , used in the login proccess. The command has a single argument , the username :  ” userdel  nameofuser ” .

There is also an optional -r  and -f  switch that additionally removes all the contents of the user’s home directory  ” userdel -r nameofuser ” . Use this option with care . The data in a user’s directory can often be important even after the person has left your company .

Practical example :



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s