Linux User and Group Administration
Proper management of users and groups is foundational to Linux security and
multi-tenant operations. Every process runs under a user identity, every file carries
ownership metadata, and the kernel enforces access decisions based on UIDs and GIDs.
This guide walks through creating and modifying accounts, managing groups, configuring
sudo access, and understanding the PAM framework that underpins authentication on
virtually all modern distributions.
Creating and Modifying Users
The useradd command creates a new account. On most distributions the -m flag is
needed to create a home directory, and -s sets the login shell:
# Create a regular user with home directory and bash shell
useradd -m -s /bin/bash jdoe
# Create a system account (no home, nologin shell)
useradd -r -s /usr/sbin/nologin appuser
# Set the initial password
passwd jdoe
Use usermod to adjust an existing account:
# Add user to supplementary groups (without removing existing ones)
usermod -aG sudo jdoe # Debian/Ubuntu: grant sudo
usermod -aG wheel jdoe # RHEL/Fedora: grant sudo
# Change login shell
usermod -s /bin/zsh jdoe
# Lock / unlock an account
usermod -L jdoe # lock (prepends ! to password hash)
usermod -U jdoe # unlock
# Change home directory and move contents
usermod -d /new/home/jdoe -m jdoe
To remove a user:
userdel jdoe # remove account but keep home directory
userdel -r jdoe # remove account AND home directory
Password Aging with chage
The chage command controls password expiration policies:
chage -l jdoe # list current aging info
chage -M 90 jdoe # password expires every 90 days
chage -m 7 jdoe # minimum days between password changes
chage -W 14 jdoe # warn 14 days before expiry
chage -E 2026-12-31 jdoe # account expires on a specific date
chage -d 0 jdoe # force password change at next login
Groups
groupadd developers # create a new group
groupadd -g 5000 ops # create with a specific GID
groupdel developers # delete a group
# List groups for a user
groups jdoe
id jdoe # shows UID, GID, and all supplementary groups
Understanding /etc/passwd, /etc/shadow, and /etc/group
/etc/passwd
Each line has seven colon-separated fields:
jdoe:x:1001:1001:John Doe:/home/jdoe:/bin/bash
| | | | | | |
| | UID GID GECOS home dir shell
| password placeholder (actual hash in shadow)
username
/etc/shadow
Readable only by root. Contains the password hash and aging data:
jdoe:$6$rounds=5000$salt$hash...:19400:7:90:14:::
Fields after the hash correspond to last-changed, min, max, warn, inactive, and expire dates (in days since epoch).
/etc/group
developers:x:5000:jdoe,asmith
Group name, password placeholder, GID, and a comma-separated member list.
Configuring sudo Access
Always edit the sudoers file with visudo, which performs syntax checking before
saving:
visudo # edit /etc/sudoers safely
visudo -f /etc/sudoers.d/ops # edit a drop-in file
Sudoers Syntax
# Define aliases for readability
User_Alias ADMINS = jdoe, asmith
User_Alias DBAS = dbadmin
Cmnd_Alias RESTART_WEB = /usr/bin/systemctl restart nginx, \
/usr/bin/systemctl restart apache2
Cmnd_Alias DB_CMDS = /usr/bin/pg_dump, /usr/bin/psql
# Grant full sudo to ADMINS
ADMINS ALL=(ALL:ALL) ALL
# Grant specific commands to DBAS without a password
DBAS ALL=(ALL) NOPASSWD: DB_CMDS
# Allow the ops group to restart web services
%ops ALL=(ALL) NOPASSWD: RESTART_WEB
Key syntax elements:
ALL=(ALL:ALL) ALLmeans from any host, as any user/group, any command.NOPASSWD:suppresses the password prompt for the listed commands.- Group names are prefixed with
%. - Drop-in files in
/etc/sudoers.d/are included automatically and keep the main file clean.
PAM Basics
Pluggable Authentication Modules (PAM) decouple applications from the specifics of
authentication. Configuration lives in /etc/pam.d/, with one file per service (e.g.,
login, sshd, sudo).
A typical PAM stack has four module types:
| Type | Purpose |
|---|---|
auth |
Verify identity (password, token, biometric) |
account |
Check account validity (expiry, access hours) |
password |
Update authentication tokens |
session |
Setup/teardown session (mount home, set limits) |
Example excerpt from /etc/pam.d/common-auth (Debian):
auth required pam_faildelay.so delay=2000000
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
Common PAM modules include pam_unix.so (traditional password auth),
pam_google_authenticator.so (TOTP two-factor), pam_limits.so (enforce ulimits), and
pam_access.so (host/network-based access control).
For how user/group ownership interacts with file access, see File Permissions. To understand how user sessions are managed by the init system, continue to the Systemd Guide.
Back to the Linux overview.