User and Group Management in Linux

Since Linux is a multi-user operating system, several people may be logged in and actively working on a given machine at the same time. Security-wise, it is never a good idea to allow users to share the credentials of the same account. In fact, best practices dictate the use of as many user accounts as people needing access to the machine.

At the same time, it is to be expected that two or more users may need to share access to certain system resources, such as directories and files. User and group management in Linux allows us to accomplish both objectives.

Adding a new user involves dealing with an account other than your own which requires superuser (aka root) privileges. The same applies to other user or group management tasks, such as deleting an account, updating accounts, and creating and removing groups.

These operations are performed using the following commands:

• adduser: add a user to the system.

• userdel: delete a user account and related files.

• addgroup: add a group to the system.

• delgroup: remove a group from the system.

• usermod: modify a user account.

• chage: change user password expiry information.

• sudo: run one or more commands as another user (typically with superuser permissions).

• Relevant files: /etc/passwd (user information), /etc/shadow (encrypted passwords), /etc/group (group information) and /etc/sudoers (configuration for sudo).

Superuser permissions can be gained either by changing to the root user with the su command or using sudo. The latter approach is used by default in Ubuntu and derivatives, and is preferred over the former in other distributions as well.

It is also important to note that, as opposed to other Linux flavors, the user that is created when Ubuntu is first installed has superuser privileges out-of-the-box. You can verify whether sudo is installed on your machine by running

on a terminal. If this command returns the absolute path of the associated file (typically /usr/bin/sudo), it means that the package is installed. Otherwise, you can install it with

on Debian, or

in CentOS or similar.

To begin, let's create a new user named pluralsight using Ubuntu and CentOS as representative distributions.

In Ubuntu or derivatives, this is as easy as doing (you will be required to enter your password to run sudo):

In other distributions, first login as root and do:

You may be prompted to set the new user's initial password, and other optional information (such as full name, work phone, etc). This will be stored in /etc/passwd using colons as field separators. If not, you can assign a password for the newly created account named pluralsight with

and entering it twice. Needless to say, you must preface the above command with sudo if you're using Ubuntu.

When a new user is added, a group with the same name is created automatically. This is called a primary group.

Now that we have a regular user account created, we will explain how to utilize it to perform user management tasks.

To grant pluralsight superuser permissions, we will need to add an entry for it in /etc/sudoers. This file is used to indicate which users can run what commands with elevated permissions (most likely as root).

Although /etc/sudoers is nothing more and nothing less than a plain text file, it must NOT be edited using a regular text editor. Instead, we will use the visudo command. As opposed to other text editors, by utilizing visudo we will ensure that 1) no one else can modify the file at the same time, and 2) the file syntax is checked upon saving changes.

To launch visudo, just type the command and press Enter. Don't forget to do

instead if you're in Ubuntu. In any event, the file will be opened using your default text editor.

The easiest method to grant superuser permissions for pluralsight is by adding the following line at the bottom of /etc/sudoers:

Let's explain the syntax of this line:

• First off, we indicate which user this rule refers to (pluralsight).

• The first ALL means the rule applies to all hosts using the same /etc/sudoers file. Nowadays, this means the current host since the same file is not shared across other machines.

• Next, (ALL) ALL tells us that pluralsight will be allowed to run all commands as any user. Functionally speaking, this is equivalent to (root) ALL.

An alternative to using the wide permissions outlined above, we can restrict the list of commands that can be executed by a given user by grouping them into sets known as aliases.

For example, we may want to allow user pluralsight to only use adduser and usermod, but not other commands. To do so, we can either list the commands one by one (using the corresponding absolute paths) at the end of the same entry:

or define an alias (which we can name as we wish as long as it's all upper case, for example USERMANAGEMENT):

While the latter requires two lines, it is often preferred instead of the former because it contributes to keep /etc/sudoers cleaner. In any event, pluralsight will not be able to execute any other commands as root other than those specified above.

For more information on the available options in /etc/sudoers, refer to man sudoers.

While saving, visudo will alert you if a syntax error is found in the file, and indicate the line where the error is found so that you can identify it more easily.

If no errors are found while saving the recent changes in /etc/sudoers, we'll be ready to start using pluralsight to perform user management tasks. To do so, use the su command to change to that account. Note that from this point, there is no need to use the root account if you're in CentOS or similar.

Additionally, the -l option will allow to provide an environment like what the user would expect if he or she had logged in directly:

and press Enter.

Please continue on to the next Guide in this Series Getting Started with User Management for Linux Administration.