Managing Users and Groups - Administration - Linux All-in-One For Dummies, 5th Edition (2014)

Linux All-in-One For Dummies, 5th Edition (2014)

Book V. Administration

Chapter 2. Managing Users and Groups

In This Chapter

arrow Managing a user account with a GUI user manager and commands

arrow Understanding the password file

arrow Managing your groups

arrow Working in the user environment

arrow Changing user and group ownerships of files and directories

Linux is a multiuser system, so it has many user accounts. Even if you’re the only user on your system, there will be a whole host of system user accounts. These aren’t for people. They’re just for running specific programs; many servers require a unique username and group name. For example, the FTP server runs under the username ftp.

User accounts can belong to one or more groups. Typically, each username has a corresponding private group name. By default, each user belongs to that corresponding private group. However, you can define other groups for the purpose of providing access to specific files and directories based on group membership.

User and group ownerships of files are a way to make sure that only the right people (or the right process) can access the right files and directories. Managing the user and group accounts is a typical job for system administration. It’s not hard to do this part of the job, given the tools that come with Linux, as you discover in this chapter.

Adding User Accounts

You get the chance to add user accounts when you boot your system for the first time after installing Linux. Typically (depending on your distribution), the root account is the only one that must be created/set up during installation. If you don’t add other user accounts when you start the system for the first time, you can add new users later on, using a GUI user account manager or the useradd command.

remember.eps Creating other user accounts besides root is always a good idea. Even if you’re the only user of the system, logging in as a less privileged user is good practice because that way you can’t damage any important system files inadvertently. If necessary, you can type su - to log in as root and then perform any system administration tasks.

Managing user accounts by using a GUI user manager

Most Linux distributions come with a GUI tool to manage user accounts. You can use that GUI tool to add new user accounts. The tool displays a list of current user accounts and has an Add button for adding new users. For the purposes of illustration, the YaST interface from OpenSUSE is shown in Figure 2-1.

Figure 2-1: In SUSE, select the Security and Users category from the left side of the YaST Control Center, and then click the User and Group Management icon in the right side of the window.

The basic steps, regardless of the specific GUI tool, are as follows:

1. Click the Add User button.

A dialog box prompts you for information about the username and password variables for the new user account, as shown in Figure 2-2.

Figure 2-2: You can create the account by supplying the requested variables.

2. Enter the requested information.

The GUI tool takes care of adding the new user account.

3. (Optional) Click one of the other tabs for the user (refer to Figure 2-2) to configure additional information.

The Details tab (shown in Figure 2-3) allows you to override the defaults for the home directory, shell, and ID information.

The Password Settings tab (shown in Figure 2-4) allows you to override the defaults for the password configuration. Plug-Ins can be used for a number of parameters, but are often used with quota configuration (such as size limits on files and the number of inodes that can be created):

· Soft limits warn the user.

· Hard limits stop the user.

tip.eps The tabs — other than User Data — are used to override the system defaults. If you want to change the system defaults, change the variables in the User and Group Administration interface.

Figure 2-3: Use Details to configure settings other than the defined defaults for user accounts.

Figure 2-4: Use Password Settings to configure settings other than the defined defaults for new user accounts.

Notice that the tool you use for adding new users is called User and Group Management because there are two types of accounts it can configure: Users and Groups. Selecting Groups instead of Users allows you to add new groups to /etc/group, as shown in Figure 2-5.

Figure 2-5: Groups can be created and managed similarly to users.

To add a new user account, click the Add button and enter the information requested in the New Local User window. Fill in the requested information (including any add-ins such as for group qoutas) and then click the OK button.

Notice that the newly added user account from Figure 2-2 now appears in the list of users in the Group Members pane and can be added — along with others — to the group.

You can add more user or group accounts, if you like. When you finish, click the OK button to create any new accounts you’ve added; then you exit automatically.

By default, YaST places all local users in a group named users. Sometimes you want a user to be in another group as well, so that user can access the files owned by that group. Adding a user to another group is easy. For example, to add the username kdulaney to the group calledwheel, type the following command in a terminal window:

usermod -G wheel kdulaney

tip.eps To remove a user account, click the username in the list of user accounts and then click the Remove or the Delete button.

Managing user accounts by using commands

If you’re working from a text console, you can create a new user account by using the useradd command. Follow these steps to add an account for a new user:

1. Log in as root.

If you’re not already logged in as root, type su - to become root.

2. Type the following useradd command with the -c option to create the account:

/usr/sbin/useradd -c "Kristin Dulaney" kdulaney

3. Set the password by using the passwd command, as follows:

passwd kdulaney

You’re prompted for the password twice. If you type a password that someone can easily guess, the passwd program will scold you and suggest that you use a more difficult password.

technicalstuff.eps The useradd command consults the following configuration files to obtain default information about various parameters for the new user account:

· /etc/default/useradd: Specifies the default shell (/bin/bash) and the default home directory location (/home).

· /etc/login.defs: Provides system-wide defaults for automatic group and user IDs, as well as password-expiration parameters.

· /etc/skel: Contains the default files that useradd creates in the user’s home directory.

Examine these files with the cat or more commands to see what they contain.

remember.eps You can delete a user account by using the userdel command. Simply type /usr/sbin/userdel username at the command prompt where username is the name of the user you want to remove. To wipe out that user’s home directory as well, type +userdel -r username.

To modify any information in a user account, use the usermod command. For example, for user kdulaney to have root as the primary group, type the following:

usermod -g root kdulaney

tip.eps To find out more about the useradd, userdel, and usermod commands, type man useradd, man userdel, or man usermod, respectively, in a terminal window.

Understanding the /etc/passwd File

The /etc/passwd file is a list of all user accounts. It’s a text file and any user can read it — no special privileges needed. Each line in /etc/passwd has seven fields, separated by colons (:).

Here’s a typical entry from the /etc/passwd file:

kdulaney:x:1000:1000:Kristin Dulaney,,:/home/kdulaney:/bin/bash

As the example shows, the format of each line in /etc/passwd looks like this:


Table 2-1 explains the meaning of the seven fields in each /etc/passwd entry.

Table 2-1 Fields in the /etc/passwd File

This Field



An alphanumeric username, usually 8 characters long and unique. (Linux allows usernames to be longer than 8 characters, but some other operating systems do not.)


When present, a 13-character encrypted password. (An empty field means that no password is required to access the account. An x means the password is stored in the /etc/shadow file, which is more secure.)


A unique number that serves as the user identifier. (root has a UID of 0, and usually UIDs from 1 to 100 are reserved for nonhuman users such as servers; keeping the UID value to less than 32,767 is best.)


The default group ID of the group to which the user belongs (GID 0 is for group root, other groups are defined in /etc/group, and users can be, and usually are, in more than one group at a time).


Optional personal information about the user. (The finger command uses this field; GECOS stands for General Electric Comprehensive Operating System, a long-forgotten operating system that’s immortalized by the name of this field in /etc/passwd.)


The name of the user’s home directory.


The command interpreter (shell), such as bash (/bin/bash), which executes when this user logs in.

Managing Groups

A group is something to which users belong. A group has a name and an identification number (ID). After a group is defined, users can belong to one or more of these groups.

You can find all the existing groups listed in /etc/group. For example, here’s the line that defines the group named wheel:


As this example shows, each line in /etc/group has the following format, with four fields separated by colons:


Table 2-2 explains the meaning of the four fields in a group definition.

Table 2-2 Meaning of Fields in /etc/group File

Field Name



The name of the group (for example, wheel)


The group password (an x means that the password is stored in the /etc/shadow file)


The numerical group ID (for example, 10)


A comma-separated list of usernames that belong to this group (for example, root,kdulaney)

If you want to create a new group, you can simply use the groupadd command. For example, to add a new group called class with an automatically selected group ID, type the following command in a terminal window (you have to be logged in as root):

groupadd class

Then you can add users to this group with the usermod command. For example, to add the user kdulaney to the group named class, type the following commands:

usermod -G class kdulaney

If you want to remove a group, use the groupdel command. For example, to remove a group named class, type

groupdel class

Other User and Group Administration Values

One of the easiest ways to administer users and groups is to make certain you have the default values set to what you want them to be.

The concept of least privilege should be followed and, as the name implies, the goal of it is to give users the minimal privileges needed to do their jobs and nothing more.

Figure 2-6 shows the values that can be set for global password values. If you check the box Check New Passwords, then users will be prevented from using passwords that can be found in a dictionary, that are names, or use common words. The minimum password length can only be set if Check New Passwords is enabled; also consider the possible encryption methods seriously:

· DES is the default encryption method of many distributions, and although it works in almost any environment, it limits passwords to eight characters or fewer.

· MD5 lets you use longer passwords and is supported by all newer distributions, but can be a problem if you need to interact with older systems.

· SHA-512 is usually the other choice offered and it a strong hash method that is not compatible with many systems.

The default settings for new users, shown in Figure 2-7, can be set to increase security by choosing a different skeleton, a more secure shell, or a higher umask value.

Lastly, the authentication settings (shown in Figure 2-8) allow you to configure the connection settings that will take effect by default.

Figure 2-6: Global password variables can greatly increase system security.

Figure 2-7: Default values for the new users can be changed.

Figure 2-8: Default authentication setting values can be changed.

Exploring the User Environment

When you log in as a user, you get a set of environment variables that control many aspects of what you see and do on your Linux system. If you want to see your current environment, type the following command in a terminal window:


(By the way, the printenv command also displays the environment, but env is shorter.)

The env command prints a long list of lines. The collection of lines is the current environment; each line defines an environment variable. For example, the env command displays this typical line:


This line defines the environment variable HOSTNAME as localhost.localdomain.

An environment variable is nothing more than a name associated with a string. For example, the environment variable named PATH is typically defined as follows for a normal user:


The string to the right of the equal sign (=) is the value of the PATH environment variable. By convention, the PATH environment variable is a sequence of directory names, each name separated from the others by a colon (:).

Each environment variable has a specific purpose. For example, when the shell has to search for a file, it simply searches the directories listed in the PATH environment variable in the order of their appearance. Therefore, if two programs have the same name, the shell executes the one it finds first.

In a fashion similar to the shell’s use of the PATH environment variable, an editor such as vi uses the value of the TERM environment variable to figure out how to display the file you edit with vi. To see the current setting of TERM, type the following command at the shell prompt:

echo $TERM

If you type this command in a terminal window, the output is as follows:


To define an environment variable in bash, use the following syntax:

export NAME=Value

Here NAME denotes the name of the environment variable and Value is the string representing its value. Therefore you set TERM to the value xterm by using the following command:

export TERM=xterm

tip.eps After you define an environment variable, you can change its value by simply specifying the new value with the syntax NAME=new-value. For example, to change the definition of TERM to vt100, type TERM=vt100 at the shell prompt.

With an environment variable such as PATH, typically you want to append a new directory name to the existing definition rather than define the PATH from scratch. For example, if you download and install the fictional XYZ 5 Development Kit, you have to add the location of the XYZ binaries to PATH. Here’s how you accomplish that task:

export PATH=$PATH:/usr/xyz/xyz.5.0/bin

This command appends the string :/usr/xyz/xyz.5.0/bin to the current definition of the PATH environment variable. The net effect is to add /usr/xyz/xyz.5.0/bin to the list of directories in PATH.

Note: You also can write this export command as follows:

export PATH=${PATH}:/usr/xyz/xyz.5.0/bin

After you type that command, you can access programs in the /usr/xyz/xyz.5.0/bin directory that the interpreter can execute.

PATH and TERM are only two of a handful of common environment variables. Table 2-3 lists some of the environment variables for a typical Linux user.

Table 2-3 Typical Environment Variables in Linux

Environment Variable



The name of the display on which the X Window System displays output (typically set to :0.0)


Your home directory


The host name of your system


Your login name


The location of your mail directory


The list of directories in which the shell looks for programs


Your shell (SHELL=/bin/bash for bash)


The type of terminal

Changing User and Group Ownership of Files

In Linux, each file or directory has two types of owners: a user and a group. In other words, a user and group own each file and directory. The user and group ownerships can control who can access a file or directory.

To view the owner of a file or directory, use the ls -l command to see the detailed listing of a directory. For example, here’s a typical file’s information:

-rw-rw-r-- 1 kdulaney kdulaney 40909 Aug 16 20:37 

In this example, the first set of characters shows the file’s permission setting — who can read, write, or execute the file. The third and fourth fields (in this example, kdulaney kdulaney) indicate the user and group owner of the file. Each user has a private group that has the same name as the username. Thus most files appear to show the username twice when you list user and group ownership.

As a system administrator, you may decide to change the group ownership of a file to a common group. For example, suppose you want to change the group ownership of the composer.txt file to the class group. To do that, log in as root and type the following command:

chgrp class composer.txt

This chgrp command changes the group ownership of composer.txt to class.

You can use the chown command to change the user owner. The command has the following format:

chown username filename

For example, to change the user ownership of a file named sample.jpg to kdulaney, type

chown kdulaney sample.jpg

The chown command can change both the user and group owner at the same time. For example, to change the user owner to kdulaney and the group owner to class, type

chown kdulaney.class composer.txt

In other words, you simply append the group name to the username with a period in between, and then use that as the name of the owner.