Prepare for LPIC-1 exam 2 - topic 107.1: Manage user and group accounts and related system files

Overview

In this tutorial, learn to:

Add, modify, and remove users and groups
Suspend and change user accounts
Manage user and group information in the password and group databases
Create and manage limited and special-purpose accounts

Users and groups

You learned in "Learn Linux, 101: Manage file permissions and ownership" that Linux is a multiuser system in which each user belongs to one primary group and possibly to additional groups. Ownership of files in Linux is closely related to user IDs and groups. Recall that you can log in as one user and become another user by using the su or sudo -ssudo-s commands. And recall that you can use the whoami command to check your current effective ID, and the groups command to find out which groups you belong to. In this tutorial, you learn how to create, delete, and manage users and groups. You also learn about the files in /etc, where user and group information is stored.

This tutorial helps you prepare for Objective 107.1 in Topic 107 of the Linux Server Professional (LPIC-1) exam 102. The objective has a weight of 5.

Prerequisites

To get the most from the tutorials in this series, you need basic knowledge of Linux and a working Linux system on which you can practice the commands covered in this tutorial. You should be familiar with GNU and UNIX® commands. Sometimes different versions of a program format output differently, so your results might not always look exactly like the listings and figures shown here.

For my examples in this tutorial, I use openSUSE Leap 42 and Fedora 23. These two distributions manage users and groups in two alternative ways, and you should be familiar with both ways. Unqualified references to Fedora or openSUSE systems refer to these two systems.

Adding and removing users and groups

You add a user to a Linux system with the useradd command, and you delete a user with the userdel command. Similarly, you add or delete groups with the groupadd and groupdel commands.

For user and group administration, most modern Linux desktops have graphical interfaces that usually are accessible through menu options for system administration. Interfaces vary considerably, so the one on your system might look different from the graphical examples here. Despite these differences, the underlying concepts and commands are similar. Figure 1 shows the graphical KDE user interface on an openSUSE 42 system.

Figure 1. openSUSE user-management interface

For comparison, Figure 2 shows the graphical GNOME user interface on a Fedora 23 system.

Figure 2. Fedora user-management interface

Adding a user

First, I show you how to use the graphical interface to add a user, John Doe, with username john, to the openSUSE system. Click the Add button that you see in Figure 1 (or the corresponding button if your UI language is not English) to add a new user. Then enter John Doe as the user's full name, john as the username (or ID), and a starting password, as shown in Figure 3. Click OK to create the user.

Figure 3. Adding user john with the openSUSE graphical interface

You now have a new user, john, who has a home directory /home/john. Use the id and ls commands, as shown in Listing 1, to verify. As you see, user john has a user number (uid) of 1001 and is a member of the users group.

Listing 1. Displaying information about user john on openSUSE


ian@attic4‑s42:~> id john
uid=1001(john) gid=100(users) groups=100(users)
ian@attic4‑s42:~> ls ‑ld ~john
drwxr‑xr‑x 7 john users 4096 Feb  5 18:27 /home/john

From the command line, you use the useradd command to create a new user and then use the passwd command to set the user's password. Both of these commands require root authority. Listing 2 shows the basic use of these commands to add another user, jane. The -c option of useradd provides a text string, such as a name, to be associated with the user, and the -m option requests creation of a home directory.

Listing 2. Adding user jane on openSUSE


attic4‑s42:~ #useradd ‑m ‑c "Jane Doe" jane
attic4‑s42:~ #passwd jane
New password: 
Retype new password: 
passwd: password updated successfully
attic4‑s42:~ #id jane
uid=1002(jane) gid=100(users) groups=100(users)
attic4‑s42:~ #ls ‑ld ~jane
drwxr‑xr‑x 7 jane users 4096 Feb 15 11:27 /home/jane

Different systems can have different approaches to user addition, other than differences in the graphical interface that you might use. For example, in the Fedora 23 GUI, you must first click the Unlock button to unlock the dialog box, and then click the + button to add a new user. As for the openSUSE example, you enter the user's full name and the username (or ID) that you want to use. You can either enter a starting password as shown in Figure 4, or let the user enter a password on first login. Note the strength assessment for the password that you enter here. Click the Add button to create the new user.

Figure 4. Adding user john with the Fedora graphical interface

Use the same commands that you saw in Listing 1 to see information about the new Fedora user, as shown in Listing 3.

Listing 3. Displaying information about user john on Fedora


[ian@attic‑f23 ~]$ id john
uid=1001(john) gid=1001(john) groups=1001(john)
[ian@attic‑f23 ~]$ ls ‑ld ~john
drwx‑‑‑‑‑‑. 3 john john 4096 Feb 15 16:03 /home/john

Listing 3 shows that a new group is created with name john and group ID 1001.

Adding a group

When you add a new user, the primary group — and any other groups that you want the user to be a member of — must exist before you can create the user. So, if you want to add a user jane with group jane on the Fedora system, you must first create a group jane. You use the groupadd command to create the group. Listing 4 shows how to create both the group and the user. As before, you need root authority to add users and groups and to set passwords for other users.

Listing 4. Adding group jane and user jane on Fedora


[root@attic‑f23 ~]#groupadd jane
[root@attic‑f23 ~]#useradd ‑c "Jane Doe" ‑g jane ‑G users jane
[root@attic‑f23 ~]#passwd jane
Changing password for user jane.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@attic‑f23 ~]#id jane
uid=1002(jane) gid=1002(jane) groups=1002(jane),100(users)
[root@attic‑f23 ~]#ls ‑ld ~jane
drwx‑‑‑‑‑‑. 3 jane jane 4096 Feb 15 21:33 /home/jane

The requirement to have a group defined before the new user is created has one exception. As in the openSUSE example (Listing 2), you can create a Fedora user without specifying the -g option with a group name. When you do, useradd creates a new group with the same name as the username. I explain this behavior in the "" section.

In Listing 4, I use the -g option to specify the primary group for user jane and the -G option to specify an additional group, users. You see that group jane is created with group ID 1002. Linux has no command that's analogous to the id command to display information about the group ID associated with a group name. In the "" and "" sections, I show you how to find out information about a group.

I also omit the -m option, yet a home directory is created. Again, see "" for an explanation.

The home directory skeleton

When you create a new user and a new home directory is created, the directory is populated with several files and subdirectories that, by default, are copied from /etc/skel. Some subdirectories might be created in /etc/skel when a package is installed, or the subdirectory might be created in the user's home directory when the package is first used. So, you will see many differences in skeleton directories according to which packages are installed and whether they add files or directories to /etc/skel, or whether they wait for a user to use the package. Listing 5 shows the contents of the home directory for user jane on the openSUSE system and then on the Fedora system. In each case, the diff command verifies that the home directory contents match /etc/skel.

Listing 5. Initial contents of home directory for user jane


attic4‑s42:~ ##openSUSE 42
attic4‑s42:~ #diff ‑rq ~jane /etc/skel
attic4‑s42:~ #ls ‑al ~jane
total 80
drwxr‑xr‑x 7 jane users  4096 Feb 15 12:55 .
drwxr‑xr‑x 6 root root   4096 Feb 15 12:55 ..
‑rw‑‑‑‑‑‑‑ 1 jane users     0 May 18  1996 .bash_history
‑rw‑r‑‑r‑‑ 1 jane users  1177 Oct 25 05:04 .bashrc
drwx‑‑‑‑‑‑ 2 jane users  4096 Sep 30 06:59 .config
‑rw‑r‑‑r‑‑ 1 jane users   315 Sep 30 06:41 .dvipsrc
‑rw‑r‑‑r‑‑ 1 jane users  1637 Sep 11  2014 .emacs
drwxr‑xr‑x 2 jane users  4096 Sep 30 06:59 .fonts
‑rw‑r‑‑r‑‑ 1 jane users 18517 Oct 25 09:08 .gnu‑emacs
‑rw‑r‑‑r‑‑ 1 jane users   305 Sep 30 06:54 .i18n
‑rw‑r‑‑r‑‑ 1 jane users   861 Sep 11  2014 .inputrc
drwx‑‑‑‑‑‑ 2 jane users  4096 Sep 30 06:59 .local
‑rw‑r‑‑r‑‑ 1 jane users  1028 Oct 25 05:04 .profile
‑rw‑r‑‑r‑‑ 1 jane users  1952 Sep 30 06:54 .xim.template
‑rwxr‑xr‑x 1 jane users  1112 Sep 24 00:05 .xinitrc.template
drwxr‑xr‑x 2 jane users  4096 Sep 30 06:59 bin
drwxr‑xr‑x 2 jane users  4096 Oct 29 17:08 public_html


[root@attic‑f23 ~]##Fedora 23
[root@attic‑f23 ~]#diff ‑rq ~jane /etc/skel
[root@attic‑f23 ~]#ls ‑al ~jane
total 32
drwx‑‑‑‑‑‑. 3 jane jane 4096 Feb 15 21:33 .
drwxr‑xr‑x. 5 root root 4096 Feb 15 21:33 ..
‑rw‑r‑‑r‑‑. 1 jane jane   18 Jan 11 06:02 .bash_logout
‑rw‑r‑‑r‑‑. 1 jane jane  193 Jan 11 06:02 .bash_profile
‑rw‑r‑‑r‑‑. 1 jane jane  231 Jan 11 06:02 .bashrc
‑rw‑r‑‑r‑‑. 1 jane jane  334 Feb  3 01:55 .emacs
drwxr‑xr‑x. 4 jane jane 4096 Dec  5 19:48 .mozilla
‑rw‑r‑‑r‑‑. 1 jane jane  658 Dec 25 07:14 .zshrc

In Listing 5, notice the different profile files that are created. Refer to "Learn Linux, 101: Customize and use the shell environment" if you need more information about the various profile files that the bash shell uses.

You might be wondering why user and group ID numbering starts at 1000, or why the openSUSE system puts all users in the users group, whereas the Fedora system creates a new group for each user — or why I did not need the -m option to create a home directory on Fedora. The /etc/login.defs file is a text file that contains several definitions related to system login. Some of the values in this file control user and group creation, and others control system behavior at login time.

Listing 6 shows a few lines extracted from the login.defs file on openSUSE.


#Min/max values for automatic uid selection in useradd
#
#SYS_UID_MIN to SYS_UID_MAX inclusive is the range for
#UIDs for dynamically allocated administrative and system accounts.
#UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically
#allocated user accounts.
#
UID_MIN          1000
UID_MAX        60000
#System accounts
SYS_UID_MIN       100
SYS_UID_MAX       499

#
#Min/max values for automatic gid selection in groupadd
#
#SYS_GID_MIN to SYS_GID_MAX inclusive is the range for
#GIDs for dynamically allocated administrative and system groups.
#GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically
#allocated groups.
#
GID_MIN        1000
GID_MAX      60000
#System accounts
SYS_GID_MIN      100
SYS_GID_MAX      499

#
#If useradd should create home directories for users by default (non
#system users only)
#This option is overridden with the ‑M or ‑m flags on the useradd command
#line.
#
CREATE_HOME      no

#
#Enable setting of the umask group bits to be the same as owner bits
#(examples: 022 ‑> 002, 077 ‑> 007) for non‑root users, if the uid is
#the same as gid, and username is the same as the primary group name.
#
#This also enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB no

Listing 7 shows the same values from my Fedora system. The different values for CREATE_HOME explain why I need the -m option on openSUSE but can omit it on Fedora. Similarly, the different values for USERGROUPS_ENAB control whether a new user has a dedicated group or becomes a member of the users group.


#
#Min/max values for automatic uid selection in useradd
#
UID_MIN                  1000
UID_MAX                 60000
#System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999

#
#Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 60000
#System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999

#
#If useradd should create home directories for users by default
#On RH systems, we do. This option is overridden with the ‑m flag on
#useradd command line.
#
CREATE_HOME yes

#This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

The UID_MIN and GID_MIN specify the starting values for ordinary users. Values in the range SYS_UID_MIN to SYS_UID_MAX and the corresponding group limit values are reserved for system users. See the "" section for more information on system users.

Note: Historically, ordinary-user numbers started at 500, and you might still find systems with this lower limit.

Options for useradd and groupadd

Both the useradd and groupadd commands have more options than I have used in the examples so far. Table 1 shows the common options for the useradd command.

Table 1. Options for useradd

Option	Purpose
`-b` - `-b`ase-dir	The default base directory in which user home directories are created. This is usually /home, and the user's home directory is /home/$USER.
`-c` - `-c`omment	A text string, such as the user's full name, that describes the ID.
`-d` `--home`	A specific directory name for the home directory.
`-e` - `-e`xpiredate	The date on which the account will expire or be disabled, in the form `YYYY-MM_DD`.
`-g` - `-g`id	The name or number of the initial login group for the user. The group must exist.
`-G` `--groups`	A comma-separated list of additional groups to which the user belongs.
`-K`	Can be used to override defaults from /etc/login.defs.
`-m` `--create-home`	Create the user's home directory if it does not exist. Copy the skeleton files and any directories from /etc/skel to the home directory.
`-o` `--non-unique`	Permit a user to have a nonunique ID.
`-p` - `-p`assword	The encrypted password. If a password is not specified, the default is to disable the account. You will usually use the `passwd` command in a subsequent step rather than generating an encrypted password and specifying it on the `useradd` command.
`-s` - `-s`hell	The name of the user's login shell if it is different from the default login shell.
`-u` - `-u`id	The nonnegative numerical user ID, which must be unique if `-o` is not specified. The default is to use the smallest value that is at least `UID_MIN` and also greater than the ID of any existing user.

Notes:

Some systems, including Fedora and Red Hat distributions, have extensions to the user-creation commands. For example, Fedora and Red Hat systems have a -n option to prevent useradd from creating a home directory. Be aware of such possible system differences and refer to your system's man pages if in doubt.
Graphical interfaces, and also the useradd command, might perform additional tasks, such as creating the user's mail file in /var/spool/mail.

Group names must begin with a lowercase letter or an underscore, and usually contain only those characters along with hyphens or digits. Table 2 shows common options for groupadd.

Table 2. Options for groupadd

Option	Purpose
`-f`	Exit with success status if the group already exists. This option is handy for scripting when you do not need to check whether a group exists before trying to create it.
`-g`	Specifies the group ID manually. The default is to use the smallest value that is at least `GID_MIN` and also greater than the ID of any existing group. Group IDs are normally unique and must be nonnegative.
`-o`	Permit a group to have a nonunique ID.
`-K`	Can be used to override defaults from /etc/login.defs.

Deleting a user or group

Deleting a user or group is much simpler than adding one, because the relevant commands have fewer options. In fact, the groupdel command to delete a group requires only the group name; it has no options. You cannot delete any group that is the primary group of a user. If you use a graphical interface for deleting users and groups, the functions are similar to the commands that I show.

You delete a user by using the userdel command. Add the -r or --remove option to remove the user's home directory and its contents, along with the user's mail spool.

Listing 8 shows how to add a group jane2 to the openSUSE system and then add two more users who make use of the group. User jane2 has primary group jane2, and user jane3 has jane2 as a secondary group. After user jane2 is deleted with the userdel command, the id command shows that the group jane2 is still a secondary group for user jane3. The second attempt to use groupdel to remove the group jane2 is successful because user jane3 has jane2 only as a secondary group.

Listing 8. Deleting users and groups on openSUSE


attic4‑s42:~ #groupadd jane2
attic4‑s42:~ #useradd ‑c "Jane Doe2" ‑m ‑g jane2 jane2
attic4‑s42:~ #useradd ‑c "Jane Doe3" ‑m ‑G jane2 jane3
attic4‑s42:~ #ls ‑ld /var/spool/mail/jane
‑rw‑rw‑‑‑‑ 1 jane  mail 0 Feb 15 12:55 /var/spool/mail/jane
‑rw‑rw‑‑‑‑ 1 jane2 mail 0 Feb 16 14:42 /var/spool/mail/jane2
‑rw‑rw‑‑‑‑ 1 jane3 mail 0 Feb 16 14:42 /var/spool/mail/jane3
attic4‑s42:~ #groupdel jane2
groupdel: cannot remove the primary group of user 'jane2'
attic4‑s42:~ #id jane3
uid=1004(jane3) gid=100(users) groups=1000(jane2),100(users)
attic4‑s42:~ #userdel ‑r jane2
no crontab for jane2
attic4‑s42:~ #id jane3
uid=1004(jane3) gid=100(users) groups=1000(jane2),100(users)
attic4‑s42:~ #groupdel jane2
attic4‑s42:~ #id jane3
uid=1004(jane3) gid=100(users) groups=100(users)
attic4‑s42:~ #ls ‑ld /var/spool/mail/jane
‑rw‑rw‑‑‑‑ 1 jane  mail 0 Feb 15 12:55 /var/spool/mail/jane
‑rw‑rw‑‑‑‑ 1 jane3 mail 0 Feb 16 14:42 /var/spool/mail/jane3
attic4‑s42:~ #ls ‑ld /home/jane*
drwxr‑xr‑x 7 jane  users 4096 Feb 15 12:55 /home/jane
drwxr‑xr‑x 7 jane3 users 4096 Feb 16 14:42 /home/jane3

If USERGROUPS_ENAB is set to yes in /etc/login.defs, as it is in my Fedora system, a group with the same name as the user is also deleted, provided that group is not the primary group of another user.

Listing 9 shows how the different /etc/login.defs file on Fedora influences user and group deletion. In this example, users jane2 and jane3 share a primary group, jane2.

Listing 9. Deleting users and groups on Fedora


[root@attic‑f23 ~]#useradd ‑c "Jane Doe2" jane2
[root@attic‑f23 ~]#id jane2
uid=1003(jane2) gid=1003(jane2) groups=1003(jane2)
[root@attic‑f23 ~]#useradd ‑c "Jane Doe3" ‑g jane2 jane3
[root@attic‑f23 ~]#id jane3
uid=1004(jane3) gid=1003(jane2) groups=1003(jane2)
[root@attic‑f23 ~]#groupdel jane2
groupdel: cannot remove the primary group of user 'jane2'
[root@attic‑f23 ~]#userdel ‑r jane2
userdel: group jane2 is the primary group of another user and is not removed.
[root@attic‑f23 ~]#userdel ‑r jane3
[root@attic‑f23 ~]#groupdel jane2

You can use a -f or --force option for userdel to delete a user and the same-named group. This option is dangerous, so use it only as a last resort. Read the man page carefully before you do.

If you delete a user or group, and files that belong to that user or group are on your filesystem, the files are not automatically deleted or assigned to another user or group. Output from the ls command shows the numeric value of the user or group if the user or group does not exist, as Listing 10 from my openSUSE system shows.

Listing 10. File formerly owned by a deleted user


attic4‑s42:~ #touch /tmp/jane3‑test
attic4‑s42:~ #chown jane3: /tmp/jane3‑test
attic4‑s42:~ #ls ‑l /tmp/jane3‑test
‑rw‑r‑‑r‑‑ 1 jane3 users 0 Feb 16 15:08 /tmp/jane3‑test
attic4‑s42:~ #userdel ‑r jane3
no crontab for jane3
attic4‑s42:~ #ls ‑l /tmp/jane3‑test
‑rw‑r‑‑r‑‑ 1 1003 users 0 Feb 16 15:08 /tmp/jane3‑test

Modifying accounts and suspending users

Now that you can create or delete a user ID or a group, you might also need to modify one. Or you might need to suspend a user's privileges on your system without deleting the user.

Modifying user accounts

Suppose that user john wants to have the tcsh shell as his default. From a graphical interface, you can often find a way either to edit a user (or group), or to examine the properties of the object. Figure 5 shows the Details dialog box for the user john on the openSUSE system. In Figure 5, I enter /bin/tcsh in the Login Shell field to change the shell to tcsh.

Figure 5. Modifying a user account

From the command line, you can use the usermod command to modify a user account. You can use most of the options that you use with useradd, except that you cannot create or populate a new home directory for the user. If you need to change the name of the user, specify the -l or --login option with the new name. You probably want to rename the home directory to match the user ID. You might also need to rename other items such as mail spool files. Finally, if the login shell is changed, some of the associated profile files might need to be altered. Listing 11 shows an example of the things you might need to do to change user john to john2 with /bin/tcsh as the default shell and renamed home directory /home/john2.

Listing 11. Modifying a user


attic4‑s42:~ #usermod ‑l john2 ‑s /bin/tcsh ‑d /home/john2 john
attic4‑s42:~ #ls ‑d ~john2
ls: cannot access /home/john2: No such file or directory
attic4‑s42:~ #mv /home/john /home/john2
attic4‑s42:~ #ls ‑d ~john2
/home/john2

Notes:

If you need to modify a user's additional groups, you must specify the complete list of additional groups. Linux has no command to add or delete a single group for a user.
Linux imposes restrictions on changing the name or ID of a user who is logged in or who has running processes. Check the man pages for details.
If you change a user ID number, you probably want to change files and directories owned by that user to match the new number.

Modifying groups

When you need to modify group information, use the groupmod command. Use the -n option to change the group name, and the -g option to change the group number. In Listing 12, I change the group john to john2 on my Fedora system.

Listing 12. Renaming a group


[root@attic‑f23 ~]#id john
uid=1001(john) gid=1001(john) groups=1001(john)
[root@attic‑f23 ~]#groupmod ‑n john2 john
[root@attic‑f23 ~]#id john
uid=1001(john) gid=1001(john2) groups=1001(john2)
[root@attic‑f23 ~]#ls ‑ld ~john
drwx‑‑‑‑‑‑. 3 john john2 4096 Feb 15 16:03 /home/john

Notice in Listing 12 that the group name for the home directory of user john also changed when I changed the group name — not surprisingly, because groups are represented in the filesystem inodes by their numbers rather than by their names.

If you change a group's number, you need to update any users for which that group is the primary group or a secondary group. Modern versions of groupmod do this updating for you, but older versions might update only primary groups, or make no updates. Listing 13 shows how to change the group number for john2 to 1020 on my Fedora system. Here, groupmod updates the primary group for user john and both primary and secondary groups for user john3, who has group john2 as a secondary group.

Listing 13. Renumbering a group


[root@attic‑f23 ~]#useradd ‑c "John Doe3" ‑G john2 john3
[root@attic‑f23 ~]#id john3
uid=1003(john3) gid=1003(john3) groups=1003(john3),1001(john2)
[root@attic‑f23 ~]#groupmod ‑g 1020 john2
[root@attic‑f23 ~]#id john
uid=1001(john) gid=1020(john2) groups=1020(john2)
[root@attic‑f23 ~]#id john3
uid=1003(john3) gid=1003(john3) groups=1003(john3),1020(john2)

Usually, you want to update the files and directories that belong to a group to match the new group number, because groupmod does not do this for you. The same process applies to changing both user and group numbers. Listing 14 shows how to change the group of all the affected files in the /home filesystem. Your system might have other files that are affected, so avoid renumbering users and groups if at all possible.

Listing 14. Changing group for all affected files in /home


[root@attic‑f23 ~]#ls ‑ld ~john
drwx‑‑‑‑‑‑. 3 john 1001 4096 Feb 15 16:03 /home/john
[root@attic‑f23 ~]#find /home ‑gid 1001 ‑exec chgrp john2 {} \;
[root@attic‑f23 ~]#ls ‑ld ~john
drwx‑‑‑‑‑‑. 3 john john2 4096 Feb 15 16:03 /home/john

User and group passwords

You have already seen the passwd command, which is used for changing a user password. The password is (or should be) unique to the user and can be changed by the user. The root user can change any user's password, as I did when setting up new users.

Groups can also have passwords, which you set with the gpasswd command. Users who know the group password can join a group temporarily by using the newgrp command. You need to weigh the advantages of adding a user to a group with usermod against the security issue of having too many people that know the group password.

Suspending and locking accounts

If you need to prevent a user from logging in, you can suspend or lock the account by using the -L option of the usermod command. Use the -U option to unlock the account. Listing 15 shows how to lock user john3 and what happens if john3 tries to log in to the system. Note that when the john3 account is unlocked, the existing password is restored.

Listing 15. Locking an account


[root@attic‑f23 ~]#usermod ‑L john3
[root@attic‑f23 ~]#ssh john3@attic‑f23
john3@attic‑f23's password: 
Permission denied, please try again.

You might have noticed back in Figure 1 that the dialog box has several tabs with additional user properties. In Figure 5, I use the Details page to change a user's login shell. You are familiar now with using the passwd command to set user passwords. In addition, the passwd command — and the usermod command and another command, the chage command — can perform many tasks related to user accounts. Table 3 shows some of these options.

Table 3. Commands and options for changing user accounts

Option for command			Purpose
usermod	passwd	chage
`-L`	`-l`	N/A	Lock or suspend the account.
`-U`	`-u`	N/A	Unlock the account.
N/A	`-d`	N/A	Disable the account by setting it passwordless.
`-e`	`-f`	`-E`	Set the expiration date for an account.
N/A	`-n`	`-m`	The minimum password lifetime in days.
N/A	`-x`	`-M`	The maximum password lifetime in days.
N/A	`-w`	`-W`	The number of days of warning before a password must be changed.
`-f`	`-i`	`-I`	The number of days after a password expires until the account is disabled.
N/A	`-S`	`-l`	Output a short message about the current account status.

Refer to the appropriate man pages on your system for more details on these and other options.

Managing user and group databases

The primary repositories for user and group information are four files in /etc:

/etc/passwd is the password file containing basic information about users.
/etc/shadow is the shadow password file containing encrypted passwords.
/etc/group is the group file containing basic information about groups and which users belong to them.
/etc/gshadow is the shadow group file containing encrypted group passwords.

These files are updated by the commands that you have already seen in this tutorial, and you will meet more commands for working with them after I discuss the files. All of these files are plain text files. In general, do not edit them directly. Use the tools provided for updating them so that they are correctly locked and kept synchronized.

The password (/etc/passwd) and group (/etc/group) files are both shadowed for security reasons. The passwd and group files themselves must be world readable, but the encrypted passwords should not be world readable. Therefore, the shadow files contain the encrypted passwords, and these files are readable only by root. The necessary authentication access is provided by an suid program that has root authority but can be run by anyone. Make sure that your system has the permissions set appropriately. Listing 16 shows the permissions on my Fedora system.

Listing 16. User and group database permissions


'['root@attic‑f23 ~]#ls ‑l /etc/passwd /etc/shadow /etc/group /etc/gshadow
‑rw‑r‑‑r‑‑. 1 root root 1183 Feb 17 13:23 /etc/group
‑‑‑‑‑‑‑‑‑‑. 1 root root  956 Feb 17 13:22 /etc/gshadow
‑rw‑r‑‑r‑‑. 1 root root 3026 Feb 17 15:03 /etc/passwd
‑‑‑‑‑‑‑‑‑‑. 1 root root 1877 Feb 17 15:03 /etc/shadow

Although it is technically possible to run without shadowed password and group files, this is almost never done and is not recommended.

The /etc/passwd file

The /etc/passwd file contains one line for each user in the system. shows example lines.

Listing 17. /etc/password entries


root:x:0:0:root:/root:/bin/bash
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
john:x:1001:1020:John Doe:/home/john:/bin/bash
jane:x:1002:1002:Jane Doe:/home/jane:/bin/bash
john3:x:1003:1003:John Doe3:/home/john3:/bin/bash

Each line contains seven fields separated by colons (:), as shown in Table 4.

Table 4. Fields in /etc/passwd

Field	Purpose
Username	The name used to log in to the system. For example, `jane`.
Password	The encrypted password. When using shadow passwords, it contains a single `x` character.
User ID (UID)	The number used to represent this username in the system. For example, 1002 for user `jane`.
Group ID (GID)	The number used to represent this user's primary group in the system. For example, 1002 for user `jane`.
Comment (GECOS)	An optional field used to describe the user. For example, `Jane Doe`. The field can contain multiple comma-separated entries. It is also used by programs such as `finger`. The GECOS name is historical. See details in `man 5 passwd`.
Home	The absolute path of the user's home directory. For example, `/home/jane`.
Shell	The program that is automatically launched when a user logs in to the system. This is usually an interactive shell such as /bin/bash or /bin/tcsh, but it can be any program, not necessarily an interactive shell. For the `mail` user in Listing 17, it is /sbin/nologin, which indicates that the system `mail` user cannot log in.

The /etc/group file

The /etc/group file contains one line for each group in the system. Listing 18 shows example lines.

Listing 18. /etc/group entries


root:x:0:
mail:x:12:
jane:x:1002:
john2:x:1020:john3
john3:x:1003:

Each line contains four fields separated by colons (:), as shown in Table 5.

Table 5. Fields in /etc/group

Field	Purpose
Group name	The name of this group. For example, `john2`.
Password	The encrypted password. When using shadow group passwords, it contains a single `x` character.
Group ID (GID)	The number used to represent this group in the system. For example, `1002` for group `jane`.
Members	A comma-separated list of group members, excepting those members for whom this is the primary group.

You can see from Listing 18 that user john3 is a member of group john2.

Shadow files

The /etc/shadow file contains encrypted passwords, along with password- and account-expiration information. Secure this file to prevent general access. See the man page (man 5 shadowman5shadow) for information on the nine colon-separated fields. Passwords can be encrypted with one of several encryption algorithms. Older systems used DES or MD5, but modern systems typically use Blowfish, SHA-256, or SHA-512, or possibly MD5. Regardless of encryption algorithm, passwords are salted so that two otherwise identical passwords do not generate the same encrypted value. Listing 19 shows how to set identical passwords for users jane and john, and then shows the resulting encoded passwords in /etc/shadow. Note: I am breaking the long lines from /etc/shadow for publication.

Listing 19. Passwords in /etc/shadow


[root@attic‑f23 ~]#echo lpic1‑107‑1| passwd jane ‑‑stdin
Changing password for user jane.
passwd: all authentication tokens updated successfully.
[root@attic‑f23 ~]#echo lpic1‑107‑1| passwd john ‑‑stdin
Changing password for user john.
passwd: all authentication tokens updated successfully.
[root@attic‑f23 ~]#grep "^j...\:" /etc/shadow
john:
$6$wZCpY7Pd$s0I4kh29E5a/r8gJdBCJwvKwDbcETzNv34mXSE4gGGiaW5YTByAYcS1WPoMQmA6vpBofE78.E00hzJm8XScNd/:
16848:0:99999:7:::
jane:
$6$oEHqS0Ke$ScH3RxVi8LR/lVPg0D0r8mDLqCR.pTAMrvmeidBiPXszB/GE/Ge4UDWAO3whNZchEnSsvkYccU2/ioAACFh/i.:
16848:0:99999:7:::

The leading $6$ in the password field indicates that my Fedora system uses SHA-512 for encryption. My openSUSE system also uses SHA-512. See the man page man 3 cryptman3crypt for other possible values. The salt is a variable-length field of up to eight characters, ending with the next $ sign. The encrypted password follows.

Using getent with user and group database files

Earlier in this tutorial, I said that Linux has no command for groups analogous to the id command for users. You saw some entries from /etc/group in Listing 18, so you can easily construct a grep command to extract an individual line. Listing 20 shows that you need to be careful to avoid finding more than one entry, or even entries for nonexistent groups such as john, which is part of two other valid group names.

Listing 20. Using grep to extract group information


[root@attic‑f23 ~]#grep john3 /etc/group
john2:x:1020:john3
john3:x:1003:
[root@attic‑f23 ~]#grep ^john /etc/group
john2:x:1020:john3
john3:x:1003:
[root@attic‑f23 ~]#grep ^john3: /etc/group
john3:x:1003:

The getent command — part of the Name Service Switch facility — provides a generalized way to access the user and group databases, and other databases for hosts, networks, and services. The getent command requires the name of a database and a lookup key. If no key is provided, many of the databases support returning a full enumeration of their entries. You do not need to have root authority to use getent, although you do need to be able to read the database that you want to use, so I use user root in all my examples. Listing 21 shows basic examples of getent use.

Listing 21. Basic use of getent


[root@attic‑f23 ~]#getent passwd mail
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
[root@attic‑f23 ~]#getent group mail
mail:x:12:
[root@attic‑f23 ~]#getent shadow mail
mail:*:16605:0:99999:7:::
[root@attic‑f23 ~]#getent gshadow mail
mail:::
[root@attic‑f23 ~]#getent group | tail ‑n 5
mysql:x:27:
nginx:x:973:
jane:x:1002:
john2:x:1020:john3
john3:x:1003:
[root@attic‑f23 ~]#getent group john
[root@attic‑f23 ~]#getent group john3
john3:x:1003:
[root@attic‑f23 ~]#getent group john2
john2:x:1020:john3

Use the text-filtering tools you learned about in "Learn Linux, 101: Text streams and filters" to extract particular fields or construct more-complex queries. Listing 22 shows some possible uses.

Listing 22. Combining getent and text filters


[ian@attic‑f23 ~]$ #Print the group number for group john2
[ian@attic‑f23 ~]$ getent group john2 | cut ‑d: ‑f3
1020
[ian@attic‑f23 ~]$ #Find users with john2 as a secondary group
[ian@attic‑f23 ~]$ getent group john2 | cut ‑d: ‑f4
john3
[ian@attic‑f23 ~]$ #Print the group number for group root
[ian@attic‑f23 ~]$ getent group root | cut ‑d: ‑f3
0
[ian@attic‑f23 ~]$ #Use it to list all users with primary group root
[ian@attic‑f23 ~]$ getent passwd |
> awk ‑v g=$(getent group root | cut ‑d: ‑f3) ‑F: ' $4 == g  { print }'
root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
operator:x:11:0:operator:/root:/sbin/nologin

Now that you know about getent, you can use it to extract and process your user and group information. Listing 23 shows a simple script to extract group information that is somewhat analogous to the information returned by the id command for users.

Listing 23. Script to show group information


#!/bin/bash

#Example script to output info for a group analogous to the info
#provided for a user by the id command
#Ian Shields 2016‑02‑18

#output list if ids and names or primary users of a given group
#List is comma‑separated as in 100(john),200(joe)
pusers () 
{ 
    test "$1" && echo $(getent passwd |
awk ‑v g=$(getent group $1 | cut ‑d: ‑f3) ‑F: ' $4 == g  { print $3"("$1")"  }') | tr ' ' ','
}

#Output comma‑separated list of ids and names give a list of user names
#as in 100(john),200(joe)
susers ()
{
    slist=""
    for u in $(echo "$1" | tr ',' ' ')
    do slist="$slist $(id ‑u $u)($u)"
    done
    echo $slist | tr ' ' ','
}

#Use passed group name or group of current user
mygroup=$(id ‑gn)
getgroup="${1:‑$mygroup}"
groupinfo=$(getent group $getgroup)
if [ $? ‑eq 0 ]; then
    priu="$(pusers $getgroup)"
    sul=$(echo $groupinfo | cut ‑d: ‑f4)
    secu="$(susers $sul)"
    test "$priu" ‑a "$secu" && allu="$priu,$secu" || allu="$priu$secu"
    test "$allu" && allu="users=$allu"
    echo $groupinfo | awk ‑F: ‑vau=$allu ' { print "gid="$3"("$1") "au } '
else
    echo "group: $getgroup: no such group"
fi

I saved the script in Listing 23 as groupid.sh on my system. I also added a group dept-107 that has no users to show you how the script works in such a case. Listing 23 shows some usage examples. For this illustration, I use my ordinary user login rather than root.

Listing 24. Using the groupid.sh script


[ian@attic‑f23 ~]$ ./groupid.sh
gid=1000(ian) users=1000(ian)
[ian@attic‑f23 ~]$ ./groupid.sh john2
gid=1020(john2) users=1001(john),1003(john3)
[ian@attic‑f23 ~]$ ./groupid.sh root
gid=0(root) users=0(root),5(sync),6(shutdown),7(halt),11(operator)
[ian@attic‑f23 ~]$ ./groupid.sh dept‑107
gid=1030(dept‑107) 
[ian@attic‑f23 ~]$ ./groupid.sh users
gid=100(users) users=12(games),1002(jane)

Limited and special-purpose accounts

By convention, system users usually have an ID that is lower than 100, with root having ID 0. Normal users start automatic numbering from the UID_MIN value set in /etc/login.defs, with this value commonly being set at 500 or 1000.

Besides regular user accounts and the root account on your system, you will usually have several special-purpose accounts, for daemons such as FTP, SSH, mail, news, and so on. Listing 25 shows entries from /etc/passwd for some of these accounts.

Listing 25. Limited and special-purpose accounts


root:x:0:0:root:/root:/bin/bash
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
systemd‑timesync:x:999:998:systemd Time Synchronization:/:/sbin/nologin
systemd‑network:x:998:997:systemd Network Management:/:/sbin/nologin
systemd‑resolve:x:997:996:systemd Resolver:/:/sbin/nologin
systemd‑bus‑proxy:x:996:995:systemd Bus Proxy:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
setroubleshoot:x:989:984::/var/lib/setroubleshoot:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege‑separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin

Such accounts frequently control files but should not be accessed by normal login. Therefore, they usually have a login shell specified as /sbin/nologin or /bin/false, so that login attempts will fail.

Other tools for users and groups

In this tutorial, you have seen several commands that manipulate the account and group files and their shadows. In this final section, I introduce you to a few remaining commands that are related to user and group administration but are not in the LPI objectives. Use the man pages or search the Internet for more information.

Group administrators

In some circumstances, you might want users other than root to be able to administer one or more groups by adding or removing group members. The root user can use the -A option of the gpasswd to add a user as administrator of a group. For example:


gpasswd ‑A jane john2

This command makes user jane an administrator of the group john2. User jane can now use the -a option of groupadd to add members to the group john2. Similarly, an administrator can delete members of a group. Note: Adding a group administrator does not make the administrator a member of the group if he or she is not already a member.

Note: The openSUSE Leap 42 system does not use /etc/gshadow and does not support group administration through the -A option of gpasswd. If you create a group password, the encrypted form is stored in /etc/group, which is world readable.

Editing commands for password and group files

You can use the vipw command to edit /etc/passwd safely and the similar vigr command to edit /etc/group safely. These two commands lock the necessary files while you make changes in the vi editor. If you make changes to /etc/passwd, vipw prompts you to see if you also need to update /etc/shadow. Similarly, if you update /etc/group by using vigr, you are prompted to update /etc/gshadow. If you need to remove group administrators, you might need to use vigr, because gpasswd only allows addition of administrators.

Conversion programs

Four other related commands are also not listed in the LPI objectives: pwconv, pwunconv, grpconv, and grpunconv. These commands are used for converting between shadowed and nonshadowed password and group files. You might never need these commands, but be aware of their existence. See the man pages for details.

This concludes your introduction to user and group account management.