Author avatar

Gabriel Cánepa

User and Group Management in Linux

Gabriel Cánepa

  • Jul 30, 2018
  • 7 Min read
  • Jul 30, 2018
  • 7 Min read
Linux Adminstration

User and Group Management

Since Linux is a multi-user operating system, several people may be logged in and actively working on a given machine at the same time. Security-wise, it is never a good idea to allow users to share the credentials of the same account. In fact, best practices dictate the use of as many user accounts as people needing access to the machine.

At the same time, it is to be expected that two or more users may need to share access to certain system resources, such as directories and files. User and group management in Linux allows us to accomplish both objectives.

A Note on Superuser Permissions

Adding a new user involves dealing with an account other than your own which requires superuser (aka root) privileges. The same applies to other user or group management tasks, such as deleting an account, updating accounts, and creating and removing groups.

These operations are performed using the following commands:

  • adduser: add a user to the system.

  • userdel: delete a user account and related files.

  • addgroup: add a group to the system.

  • delgroup: remove a group from the system.

  • usermod: modify a user account.

  • chage: change user password expiry information.

  • sudo: run one or more commands as another user (typically with superuser permissions).

  • Relevant files: /etc/passwd (user information), /etc/shadow (encrypted passwords), /etc/group (group information) and /etc/sudoers (configuration for sudo).

Superuser permissions can be gained either by changing to the root user with the su command or using sudo. The latter approach is used by default in Ubuntu and derivatives, and is preferred over the former in other distributions as well.

It is also important to note that, as opposed to other Linux flavors, the user that is created when Ubuntu is first installed has superuser privileges out-of-the-box. You can verify whether sudo is installed on your machine by running

1which sudo

on a terminal. If this command returns the absolute path of the associated file (typically /usr/bin/sudo), it means that the package is installed. Otherwise, you can install it with

1apt-get install sudo

on Debian, or

1yum install sudo

in CentOS or similar.

Adding a New Regular Account

To begin, let's create a new user named pluralsight using Ubuntu and CentOS as representative distributions.

In Ubuntu or derivatives, this is as easy as doing (you will be required to enter your password to run sudo):

1sudo adduser pluralsight

In other distributions, first login as root and do:

1adduser pluralsight

You may be prompted to set the new user's initial password, and other optional information (such as full name, work phone, etc). This will be stored in /etc/passwd using colons as field separators. If not, you can assign a password for the newly created account named pluralsight with

1passwd pluralsight

and entering it twice. Needless to say, you must preface the above command with sudo if you're using Ubuntu.

When a new user is added, a group with the same name is created automatically. This is called a primary group.

The /etc/sudoers File

Now that we have a regular user account created, we will explain how to utilize it to perform user management tasks.

To grant pluralsight superuser permissions, we will need to add an entry for it in /etc/sudoers. This file is used to indicate which users can run what commands with elevated permissions (most likely as root).

Step 1 - Open /etc/sudoers with visudo

Although /etc/sudoers is nothing more and nothing less than a plain text file, it must NOT be edited using a regular text editor. Instead, we will use the visudo command. As opposed to other text editors, by utilizing visudo we will ensure that 1) no one else can modify the file at the same time, and 2) the file syntax is checked upon saving changes.

To launch visudo, just type the command and press Enter. Don't forget to do

1sudo visudo

instead if you're in Ubuntu. In any event, the file will be opened using your default text editor.

Step 2 - Add an Entry in /etc/sudoers for the New User Account

The easiest method to grant superuser permissions for pluralsight is by adding the following line at the bottom of /etc/sudoers:

1pluralsight ALL=(ALL) ALL

Let's explain the syntax of this line:

  • First off, we indicate which user this rule refers to (pluralsight).

  • The first ALL means the rule applies to all hosts using the same /etc/sudoers file. Nowadays, this means the current host since the same file is not shared across other machines.

  • Next, (ALL) ALL tells us that pluralsight will be allowed to run all commands as any user. Functionally speaking, this is equivalent to (root) ALL.

Step 3 (Optional): Create Command Aliases

An alternative to using the wide permissions outlined above, we can restrict the list of commands that can be executed by a given user by grouping them into sets known as aliases.

For example, we may want to allow user pluralsight to only use adduser and usermod, but not other commands. To do so, we can either list the commands one by one (using the corresponding absolute paths) at the end of the same entry:

1pluralsight    ALL=(root) /usr/sbin/adduser, /usr/sbin/usermod

or define an alias (which we can name as we wish as long as it's all upper case, for example USERMANAGEMENT):

1Cmnd_Alias USERMANAGEMENT = /usr/sbin/adduser, /usr/sbin/usermod
2pluralsight    ALL=(root) USERMANAGEMENT

While the latter requires two lines, it is often preferred instead of the former because it contributes to keep /etc/sudoers cleaner. In any event, pluralsight will not be able to execute any other commands as root other than those specified above.

For more information on the available options in /etc/sudoers, refer to man sudoers.

While saving, visudo will alert you if a syntax error is found in the file, and indicate the line where the error is found so that you can identify it more easily.

Switching Users

If no errors are found while saving the recent changes in /etc/sudoers, we'll be ready to start using pluralsight to perform user management tasks. To do so, use the su command to change to that account. Note that from this point, there is no need to use the root account if you're in CentOS or similar.

Additionally, the -l option will allow to provide an environment like what the user would expect if he or she had logged in directly:

1su -l pluralsight

and press Enter.

Please continue on to the next Guide in this Series Getting Started with User Management for Linux Administration.