Ict-innovation/LPI/107.1

= 107.1 Manage User and Group Accounts = Candidates should be able to add, remove, suspend and change user accounts.

Key Knowledge Areas


 * Add, modify and remove users and groups.


 * Manage user/group info in password/group databases.


 * Create and manage special purpose and limited accounts.

Linux is a multi-user environment. Each user belongs to one primary group (normally created as default) and possibly to additional groups. Ownership of files in Linux is closely related to user ids and groups''. Topic 107.1 prepares you to'' learn how to add, delete, and manage users and groups. You will also learn about the files in /etc, where user and group information is stored.

Creating New Users
The /usr/sbin/useradd command adds new users to the system and the symbolic link adduser points to it.

Syntax:  useradd [options] login-name

Example: add a user with login-name brian

Default values will be used when no options are specified. You can list these values with useradd –D.

Default options listed with useradd –D

GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel

NOTE: This information is also available in the file /etc/default/useradd

The id command can be used to display basic information about user, such as their user ID, their group and any other group they may be part of.

To allow a user to access his or her account the administrator must allocate a password to the user using the passwd tool.

Syntax: passwd login-name

When you press enter, the system will give you a prompt onto which to enter the password. Now the user brian has a password. Because the user was created usign the default settings for the useradd command, the user’s environment such as a home directory, default shell, and his primary group have all been set.

useradd (options)

Working with Groups
Every new user is assigned to an initial (or primary) group. Two conventions exist.

Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.

The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).

NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.

Belonging to Groups

A user can belong to any number of groups. However at any one time (when creating a file for example) only one group is the effective group.

The list of all groups a user belongs to is obtained with either the groups</tt> or id</tt> commands.

Example for user root:

Joining a group

Joining a group changes the user’s effective group and starts a new session from which the user can then logout. This is done with the newgrp command. The group should exist already.

Example: joining the ict group

If the groups command is issued, the first group on the list would no longer be root but ict.

Creating and deleting groups

The groupadd </tt>tool is used to add new groups. It will add an entry in the /etc/group</tt> file.

Example: Create the group devel

groupadd (options)

The groupdel tool is used to delete groups. This will remove relevant entries in the /etc/group</tt> file.

Example: Delete the group devel

Adding a user to a group

Administration tasks can be carried out with the gpasswd t</tt>ool. One can add (-a)</tt> or remove (-d)</tt> users from a group and assign an administrator (-A)</tt>. The tool was originally designed to set a single password on a group, allowing members of the same group to login with the same password. For security reasons this feature no longer works.

Example: Add andrew to the group devel

Configuration files

The /etc/passwd</tt> and /etc/shadow</tt> files:

The names of all the users on the system are kept in /etc/passwd</tt>. This file has the following structure:

These 7 fields are separated by colons. As in the example below.

Shadow Passwords

In order to hide the encrypted passwords from ordinary users you should use a shadow file. The /etc/shadow</tt> file then holds the user names and encrypted passwords and is readable only by root.

If you don't have a shadow file in /etc</tt> then you should issue the following command:

This will leave an 'x' in the 2nd field of /etc/passwd </tt>and create the /etc/shadow file. If you don't wish to use shadow passwords you can do so using:

Caution: When using a shadow password file the /etc/passwd</tt> file may be world readable (644) and the /etc/shadow file must be more restricted (600 or even 400). However, when using pwunconv make sure to change the permissions on <tt>/etc/password </tt>(600 or 400).

The <tt>/etc/group </tt>and <tt>gshadow f</tt>iles:

In the same way, information about groups is kept in <tt>/etc/group</tt>. This file has 4 fields separated by colons.

Example <tt>/etc/group </tt>entry:

As for users there is a <tt>/etc/gshadow</tt> file that is created when using shadow group passwords. The utilities used to switch backwards and forward from shadow to non-shadow files are as follows:

The /<tt>etc/login.defs</tt> and <tt>/etc/ske</tt>l/ files

The <tt>/etc/login.defs</tt> file contains the following information:


 * the mail spool directory: MAIL_DIR


 * password aging controls: PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MAX_LEN, PASS_WARN_AGE


 * max/min values for automatic UID selection in useradd: UID_MIN, UID_MAX</tt>


 * max/min values for automatic GID selection in groupadd: GID_MIN, GID_MAX</tt>


 * automatically create a home directory with useradd: CREATE_HOME</tt>

The <tt>/etc/skel</tt> directory contains default files that will be copied to the home directory of newly created users: <tt>.bashrc, .bash_profiles, …</tt> these can be viewed by Viewing hidden files, in the user's home directory.

Modifying accounts and default settings
All available options while creating a user or a group can be modified. The <tt>usermod</tt> utility has the following main options:

usermod (options)

Notice these options are the same as for <tt>useradd</tt>.

In the example below, User brian has been renamed to user2, and his shell is now the TurboC shell, and his home directory has also been changed.

Likewise, you can change details about a group with the <tt>groupmod </tt>utility. There are mainly two options:

Locking an account

A user’s account can be locked by prefixing an exclamation mark to the user’s password. This can also be done with the following command line tools:

When using shadow passwords, replace the x with a  * A less useful option is to remove the password entirely with <tt>passwd -d</tt>. Finally, one can also assign <tt>/bin/false</tt> to the user’s default shell in <tt>/etc/passwd</tt>.

Changing the password expiry dates:

By default a user’s password is valid for 99999 days, that is 273,9 years <tt>(default PASS_MAX_DAYS)</tt>. The user is warned for 7 days that his password will expire <tt>(default PASS_WARN_AGE)</tt> with the following message as he logs in:

Warning: your password will expire in 6 days

There is another password aging policy number that is called PASS_MIN_DAYS. This is the minimum number of days before a user can change his password; it is set to zero by default.

The <tt>chage t</tt>ool allows an administrator to change all these options.

Usage: <tt> chage [-l] [-m min_days] [-M max_days] [-W warn] [-I inactive] [-E expire] [-d last_day] user </tt>

The first option –l lists the current policy values for a user. We will only discuss the <tt>–E </tt>option. This locks an account at a given date. The date is either in UNIX days or in YYYY/MM/DD format.

Notice that all these values are stored in the <tt>/etc/shadow </tt>file, and can be edited directly.

Removing an account

A user’s account may be removed with the<tt> userdel </tt>command. To make sure that the user’s home directory is also deleted use the <tt>-r</tt> option.

Special-purpose accounts

Root has a user id of 0, whereas other some users have user id's starting at the UID_MIN value set in <tt>/etc/login.defs,</tt> usually set to 500 or 1000.

Root is not the only special purpose account on a Linux system. There are others for daemons such as mail, SSH, FTP, news, and others. These accounts can be viewed from the <tt>/etc/passwd file</tt>.

As you can imagine, special purpose accounts cannot be accessed via regular login. They help to control files and daemons, and as such have a special login shell : <tt>/sbin/nologin</tt>, or <tt>/bin/false</tt>. Any login attempts on these shells will automatically fail.

The following is a partial list of the files, terms and utilities that were used.* /etc/passwd
 * /etc/shadow
 * /etc/group
 * /etc/skel
 * chage
 * groupadd
 * groupdel
 * groupmod
 * passwd
 * useradd
 * userdel
 * usermod

Previous Chapter | Next Chapter