How to Manage Linux Groups and Users

Updated: January 21, 2021
Published: December 25, 2020

ComputerGeek

Pentester, coffee maker and aspiring cyber security journalist.

Share This Post:

You need to know how to manage Linux groups and users because want to make sure users have been authentication, and they are who they claim to be. Additionally as a network administrator, you need to know how to mange Linux groups and users in order to complete tasks like this:

Audit users,
Manage group memberships,
Configure user environments, and
Set up disk space usage limits for the accounts.

How to Manage User Accounts in Linux

Adding and modifying user account credentials is a basic part of knowing how to manage Linux groups and users. This fun part of system administration and ~~hacking~~ penetration testing, involves mundane, but critical activities such as:

Assigning usernames
Generating account information
Creating passwords
Deleting these credentials

Adding New User Accounts on a Linux System

When you add a new user account on a Linux system, you typically use the “useradd” utility is typically which sets in motion a number of processes across the system. Let’s kick off the trip down the rabbit hole of adding a new user account on Linux by examining the two files and the directory involved in creating an account:

/etc/login.defs File
The /etc/default/useradd File
The /etc/skel/ Directory

/etc/login.defs File

Typically installed by default on most Linux distributions, the file contains directives (as well as comments and inactive, commented-out directives) for use in various shadow password suite commands for dealing with account credentials (useradd, userdel, and passwd commands) and control:

Password length.
How long until the user is required to change the account’s password.
Default home directory creation

You can see a sample of the file in the first screenshot. In the second screenshot below, we stripped out everything but the active directives.

A few items of note regards this file:

UID_MIN: Seen in the image above, tthe UID_MIN indicates the lowest UID allowed for user accounts and is set to 1000. User Identification Numbers (UID) are the number used by Linux to identify user accounts which is an account an authorized human uses to access the system (with the appropriate credentials).

SYS_UID_MIN/SYS_UID_MAX : While not active in on the system the screenshot was taken from, a system account’s minimum UID is set by the SYS_UID_MIN, and its maximum is set by the SYS_UID_MAX directive. System accounts are accounts that provide services (daemons) or perform special tasks, such as the root user account.

Both of these settings are for accounts created after the initial Linux distribution installation. The table below has a list of important directives in the /etc/login.defs file.

Name	Description
CREATE_HOME	Setting to yes creates a user account home directory; default is no
ENCRYPT_METHOD	Hashing method for account passwords.
PASS_MAX_DAYS	Password’s expiration date; number of days until a password change is required.
PASS_MIN_DAYS	Number of days that must lapse after a password change until the password may be changed again.
PASS_MIN_LENGTH	Minimum number of characters required in password.
PASS_WARN_AGE	Number of days prior to password expiration that a warning is issued to the user.

/etc/default/useradd File

Another configuration file involved in the account creation process. As seen in the screenshot below, you can view the file with two commands. The directives visuallized with “useradd -D” are the default directives and may appear commented out when you run the “cat /etc/default/useradd” command.

Notice how the HOME directive is set to /home, meaning that any newly created user accounts have their account directories located within the /home directory; if CREATE_HOME is not set/set to no in “/etc/login.defs” file, a home directory is not created. Additional directives to pay attention to are:

HOME: Base directory for user account directories.
INACTIVE: Number of days after a password has expired and has not been changed until the account will be deactivated.
SKEL: The skeleton directory.
SHELL: The default shell program for the user account and it is usually set to /bin/bash; when you access the command line, the user process is running the /bin/bash shell program which provides the command line prompt, handling any user entered commands. Some distributions, such as Ubuntu, set the SHELL directive by default to /bin/sh, symbolically linking it to another shell, which in Ubuntu is the Dash shell.

/etc/skel/ Directory

The /etc/skel directory mentioned above holds files. If a home directory is created for a user, these files are to be copied to the user account’s home directory, when the account is created. If you change these files later, you’ll need to migrate those changed files to current user accounts.

/etc/passwd File

Account information is stored in the “/etc/passwd” file, which each account being on separate line on the file as seen in the screenshot below. The “/etc/passwd” records contain several colon (:) delimited fields and are laid out in the table below the screenshot.

Field No.	Description
1	User account’s username.
2	Password field. An x in this field indicates passwords are stored in the /etc/shadow file. Due to its file permissions, the passwd file can be compromised so the acual passwords are stored in the more secure /etc/shadow file.
3	User account’s user identification number (UID).
4	User account’s group identification number (GID)
5	Comment field. This field is optional. Traditionally it contains the user’s full name.
6	User account’s home directory.
7	User account’s default shell. If set to /sbin/nologin or /bin/false, then the user cannot interactively log into the system.

You may find a system with passwords stored in the “/etc/passwd” file. If so, use the “pwconv” command to migrated them to the “/etc/shadow” file. You may have noticed that in /etc/password record, field #7 may list the default shell either one of the following tto prevents an account from interactively logging into the system:

/sbin/nologin: Set for system service/daemons account records that do need to have system accounts, but they do not interactively log in. They run in the background under their own account name. If a malicious person attempted to interactively log in using the account, /sbin/nologin displays a brief message and logs them off before you reach a command prompt. You can modify the message shown by creating the file /etc/nologin.txt and add the desired text.
/bin/false: If this is set as a user account’s default shell, there are no messages shown, and the user is just logged out of the system

/etc/shadow File

Contains information regarding user account passwords, even if the user have not created an account password. You can see it’s contents in the image below.

As you can see, the /etc/shadow records contain several colon delimited fields; each field’s label is described in the table below. Field #1 is the account’s username and is the only field shared with the “/etc/passwd” file. Another important item to remember is that Linux runs on “Unix Epoch/ POSIX” time, which is the number of seconds since January 1, 1970, although the “/etc/shadow” file converts this time to days. You will also notice there are a number of different possible expirations dates that you need to be aware of when you manage Linux groups and users:

When password expiration occurs, there is a grace period; users have a certain number of days to log in with the old password and change the password immediately. However,
If the password expired and the user does not log in to the system in time, they are locked out of the system.
Account expiration has no grace period; After expiration, the user cannot log into the account.

Field Number	Field Description
1	User account’s username.
2	Password field; a salted and hashed password. – “!!” or “!” in this field indicates a password has not been set for the account. – “!” or “*” indicates the account can’t use a password to log in. – “!” in front of a password indicates the account has been locked.
3	Date of last password change in Unix Epoch time (days) format.
4	Number of days after a password is changed until the password may be changed again.
5	Number of days until a password change is required. This is the password’s expiration date.
6	Number of days a warning is issued to the user prior to a password’s expiration.
7	Number of days after a password has expired until the account will be deactivated if the password is not changed
8	Date of account’s expiration in Unix Epoch time (days) format.
9	It is a field for a special future use, is currently not used, and referred to as the “special flag”.

Putting it All Together: The Account Creation Process

If you have any familiarity with Linux, you will know that each individual distribution will vary in the configuration of user accounts, so review the directives within your system’s user account configuration files.

In the image below we are working a Kali Linux distribution (because we are Mad Hackerz) we kick this process off by looking at the HOME and SHELL directives:

CREATE_HOME is not set (there is no response), so it will default to no.
The SHELL directive is set to /bin/sh instead of the Bash shell, meaning that creating an interactive user account requires you to specify Bash shell.

When creating a user account on this Ubuntu distribution, in order for the account to have a home directory and use the Bash shell, you need to employ additional “useradd” command options.

In the screenshot below, we used three options with the useradd command.

As this system does not have the CREATE_HOME directive set, the “-m” option is used to force useradd to create a home directory for the account.
The “-d” option allows for the naming of the home directory, in this case “/home/JamesBond“.
The “-s” option is needed to set the account’s default shell to /bin/bash as the SHELL directive is set to /bin/sh on this system.
As aside, the Ubuntu/Debian encourage using the “adduser” utility rather than the “useradd” utility.

The table below shows some of the more common options for the “useradd” command.

Short	Long	Descriptions
-c	–comment	Comment field contents; usually contains the user’s full name. Optional.
-d	–home or –home-dir	User’s home directory specification. Default action is set by the HOME and CREATE_HOME directives.
-D	–defaults	Display /etc/default/useradd directives.
-e	–expiredate	Date of account’s expiration in YYYY-MM-DD format. Default action is set by the EXPIRE directive.
-f	–inactive	Number of days after a password has expired and has not been changed until the account will be deactivated. A -1 indicates account will never be deactivated. Default action is set by the INACTIVE directive.
-g	–gid	Account’s group membership, which is active when user logs into system (default group).
-G	–groups	Account’s additional group memberships.
-m	–create-home	If it does not exist, create the user account’s home directory. Default action is set by the CREATE_HOME directive.
-M	N/A or –no-create-home	Do not create the user account’s home directory. Default action is set by the CREATE_HOME directive.
-s	–shell	Account’s shell. Default action is set by the SHELL directive.
-u	–uid	Account’s User Identification (UID) number.
-r	–system	Create a system account instead of a user account.

After doing some “clickity clack” and using the utility to create the account, the following occurred:

Records now exist for the new user account in the /etc/passwd and /etc/shadow files.
A new directory was created, “/home/JamesBond“, containing files from the distro’s /etc/skel/ directory.
As no password has been added to the JamesBond account yet, and its record in the /etc/shadow file shows “!” in the password field.

Another way to view account records in the /etc/passwd and /etc/shadow files is via the getent utility with the following syntax:

getent <file_name> <account_name>

How to Create User Passwords in Linux

If you are a Linux administrator and looking to get a tattoo, consider tattooing the following to your forearm or better yet, the inside of your eyelids (yes, it that important):

When creating an interactive account, you should immediately create a password for that account using the “passwd” utility.

You can see the usage of the “passwd” function in the image below.

Updating a password for any user by using the “passwd” utility with the user’s account name as an argument (as seen above); updating your own account’s password, enter “passwd” with no additional command arguments.

The “passwd” utility interacts with pluggable authentication modules; when you set/change a password with the “passwd” utility, the pam-cracklib PAM checks the password to flag easily guessed passwords or if it uses words found in the dictionary. Additionally, the “passwd” command performs a number of other related functions outlined in the table below.

Short	Long	Description
-d	–delete	Removes the account password
-e	–expire	Sets an account’s password to expired. User must change account password at next login.
-i	–inactive	Sets the number of days after an account with an unchanged password will be deactivated.
-l	–lock	Insert an exclamation point/”!” in front of the account’s password in the /etc/shadow file, preventing the user from logging in with the account’s password.
-n	–minimum	Indicates the number of days that must lapse after a password change until the password may be changed again.
-S	–status	Displays an account’s password status.
-u	–unlock	Removes a placed exclamation point (!) from the account’s pass- word within the /etc/shadow file.
-w	–warning or –warndays	The number of days a warning is issued to the user prior to a password’s expiration.
-x	–maximum or –maxdays	Sets the number of days until a required password change; this is the password’s expiration date.

Viewing Password Options

In the screenshot below, JamesBond’s password status is shown in the first example by using the “-S” option; the status contains:

The account password’s state, which can be either:
- Usable password (P)
- No password (NP)
- Locked password (L)
The last password change date
The password’s minimum, maximum, warning, and inactive settings.

The second and third example show the use of the “chage” utility to display password information in a more human-readable format, with the third example showing how you can modify account password settings.

usermod: Modifying Accounts

The “usermod” utility is employed to modify accounts is the usermod program. Similar to the “passwd” command, it performs a myriad of functions, outlined in the table below.

Short	Long	Description
-c	–comment	Use to modify the contents of the comment field
-d	–home	Set a new user home directory specification. Use in conjunction with the -m option to move the current directory’s files to the new location.
-e	–expiredate	Modify the account’s expiration (YYYY-MM-DD format) date.
-f	–inactive	Modify the number of days after an account’s password expires and not changed that the account deactivates. “-1” indicates an account will never be deactivated.
-g	–gid	Change the account’s default group membership.
-G	–groups	Update the account’s additional group memberships. If only adding new group membership, use the “-a” option to avoid removing the other group memberships.
-l	–login	Modify the account’s username to the specified one without modifying the account’s home directory.
-L	–lock	Locks an account by placing an exclamation (“!”) point in front of the password within the account’s /etc/shadow file record.
-s	–shell	Changes the shell used by the account
-u	–uid	Modify the account’s UID
-U	–unlock	Removing the exclamation point from the front of the password within the account’s /etc/shadow file record in order to unlock the account.

In the screenshot below, pay attention as demonstrate:

The “usermod -L” command to lock the JamesBond account.
The “passwd -S” command demonstrates the password status is L, indicating it is locked.
The output from the “getent” utility shows an exclamation point (!) in front of the JamesBond account’s password, locking the the account.
The “usermod -U” command removed the lock, and the status is rechecked.

You will find yourself using “usermod” commands to modify user accounts that you want set up differently than dictated by the distribution’s account creation configuration settings. The screenshot below shows:

The creation of the Batman user account
Checking it using the “getent” utility and seeing that “/bin/sh” shell being used
Modify the shell account to “/bin/bash” shell with the “-S” command option instead.

User Account Deletion in Linux

If you want to avoid a “resume creating event” check with your employer’s human resources staff prior to deleting any accounts on a system; there may be policies in place concerning file retention for terminated/retired employees. With that disclaimer out of the way, deleting an account on Linux is quite simple with the “userdel” utility The most common option to use is the -r switch. This option deletes the account’s home directory tree and the files within it. The screenshot below shows the process:

The first two commands show:
- The existence of the “/home/Batman” directory exists and has files within it.
- The account record in the /etc/passwd file.
The third command uses the “userdel -r” command to delete the account and the home directory.
- An error message generated stating that the /var/mail/ DBowman file could not be found; this is not a problem.
Last two commands show:
- Both the “/home/Batman” directory and its files were removed.
- The “/etc/passwd” file no longer contains a record for the Batman account.

How to Manage Groups in Linux

An essential part of Linux’s discretionary access control (DAC), the traditional Linux security control, manages file access based upon the user’s identity and current group membership. When created, user accounts are given membership to a particular group, the account’s default group. While a user account can belong to lots of groups, its process can only have one designated current group at a time. The default group is an account’s current group, when the user first logs into the system. Identified by their name as well as their group identification number (GID), group identification is similar to how users are identified by UIDs in that the GID is used by Linux to identify a particular group, while humans use group names. As an aside Ubuntu/Debian distributions promote the use of the “addgroup” utility rather than the “groupadd” program, as it is considered to be a low-level utility.

If not designated when a user account is created, a new group; with the same name as the user account’s name and a new GID is assigned to the user account. In the screenshot below, you can see examples of the following commands:

Use the “getent” command to view the “/etc/passwd” record for a particular account and and see their default group, the fourth field in the record is the account’s GID, which is the default group. The first command in screenshot shows that the Batman account’s default group has a GID of 10010, but it does not provide a group name.
The “groups” command shows the group name, which is the same as the user account name, Batman. This is typical when no default group was designated at account creation time.
The third example with “getent” command, shows that the group Batman maps to the 10010 GID.
The fourth example, using grep to search the /etc/group file confirms the group id number.
The fifth example shows the addition of a group via the “groupadd” utility. Normally, a group’s GID is automatically set by Linux, but can be overridden with the “-g” command option. A prerequisite to adding a user to a new group or change the account’s default group is that the group must exist. Be aware that super user privileges are required to create a new group (we are working as root in the examples.
The sixth and seventh examples use the “getent” and “grep” commands to show the new group record in the /etc/group file. The colon (:) delimited fields in the /etc/group file are:
- Group name
- Group password: An x indicates that, if a group password exists, it is stored in the/etc/gshadow file.
- GID
- Group members: User accounts that belong to the group, separated by a comma.
Example 8: The new group created did not have a group password created for it. However, the x in the SatanIsMyGod group record within the /etc/group file does not prove this. To make sure there is no group password, check the “/etc/gshadow” file; the second field contains an explanation point (!) indicating no password set for this group.
- Group passwords allow user access to groups to whom they do not belong; access to groups should only be allowed via group membership, not group passwords.
Example 9: Once created, you can set group membership, which is simply adding user accounts to the group with the “usermod” command. First we checked the groups that Batman belong to.
Example 10: Using the “usermod” with the “-aG” options.
- “-G“: adds the Batman account as a member of the “SatanIsMyGod” group,
- “-a“: Preservers previous Batman account group memberships. After the DAdams account is added as a Project42 group member,
Example 11/12: Evidence the /etc/group file record for SatanIsMyGod was updated based on prior commands.

As seen in the screenshot below:

Use the “groupmod” command to make changes to a group
- The “-g” option: Modifies the GID
- “-n” option: Allows the group’s name to be modified. The SatanIsMyGod ’s GID is modified to 99999 and is confired by the “getent” command confirms the /etc/group file was updated. If the 1138 GID was already in use by another group, the groupmod command would have displayed an error message and not changed the group’s GID.
Remove a group with the “groupdel” utility; after the SatanIsMyGod group is deleted, the “getent” utility shows the SatanIsMyGod group record removed from the “/etc/group” file.
Once you removed a group, search through the virtual directory system for files that may have access settings for that group using the find command and the deleted group’s GID. An example of this task is shown in the last example.

Setting Up the User Environment in Linux

After user authentication with the Linux system and before hitting the Bash shell’s command-line prompt, the user environment, which includes environment variables, command aliases, and various other settings gets configured by environment files that contain Bash shell commands to perform the necessary operations.

Perusing Bash Parameters

The Bash shell uses environment variables to store information about
the shell session and the working environment (thus the name environment variable). You can view all the various environment variables set on your system via the set, env, and printenv commands.

Most of the time, environment variable names are all uppercase, but you will sometimes see them written with a preceding dollar sign ($), such as $PS1; you can use or display what is stored in the environment variable by adding the $.

echo $HISTSIZE will display the history list’s maximum number of saved commands.

When starting a Bash shell by logging in to Linux, Bash checks several environment/startup files (which are really shell scripts) for configuration settings, with the specific files being checked depending on the method used to start the Bash shell:

As a default login shell when logging into the system at a tty# terminal
As an interactive shell started by spawning a subshell, such as when opening a terminal emulator in a Linux GUI
As a noninteractive shell started when running a shell script.

The table below lists some of the more important environmental variables to know.

Name	Description
HISTCONTROL	Governs how commands are saved within the history list
HISTSIZE	Controls the maximum number of commands saved within the history list
PATH	Sets the directories in which the shell searches for command programs
PS1	Define the shell’s primary prompt
SHELL	Sets the shell program’s absolute directory reference
USER	Contains the current process’s user account name

Understanding User Environment Files

There are four files the user’s home directory that function as environmental files. For a default login/interactive shell, the first of the file listed below to be found is run while the rest are ignored:

.bash_profile
.bash_login
.profile
.bashrc: This file is typically run by one of the other three files listed here.
- When a non interactive shell is started, the .bashrc file is run.

A note about nomenclature: When reading documentation relating to a user account’s environment files, you will often see environment files in the user’s home directory denoted by symbols (Eg. The .bashrc environment file is often referred to as the $HOME/.bashrc or the ~/.bashrc file).

Managing Global Configuration Files in Linux

If you want to set up persistent changes to the working environment/shell sessions for all system users starting a Bash shell, tinker with the global configuration files; the global entries in these files can be modified by account users through user entries in their $HOME environment files. Global environment files include:

/etc/profile
Files in the /etc/profile.d/
/etc/bashrc or /etc/bash.bashrc file

The presence of either the /etc/bashrc or /etc/bash.bashrc file depends on which distribution you are running and are usually invoked via the user’s $HOME/.bashrc file.
When modifying the global environment, rather than changing the /etc/profile or other files, create a custom environment file with a .sh file extension, and place it in the /etc/profile.d/ directory; all “.sh” files in the /etc/profile.d/ directory are run via the /etc/profile environment file for logins to the Bash shell.

Monitoring Linux Users

Linux is packed with auditing utilities, allowing administrators and hackers alike to determine:

Which users are currently accessing the system.
Who have accessed the system previously.
Verify the account name you are currently.
Additional user account information.

Remember that as you monitor users, it is poor security practice to:

Share user accounts
Log directly into the root user account; if you need super user access, obtain sudo privileges.

In the screenshot below, we will run through a number of commands to help you administrate users on Linux system:

The “whoami” command displays what user account you are currently using.
The “who” command provides a little more data than the whoami utility.
The “w” utility pulls user information from the “/var/run/utmp” file and gathers additional data from files the “/proc/” directory files. In the example, the first displayed line shows the following information:
- The current time
- How long the system has been up
- How many users are currently accessing the system
- The CPU load averages for the last 1, 5, and 15 minutes
- The next several lines concern current system user information and thee columns are:
  - USER: The account’s name
  - TTY: The account’s currently used terminal
  - LOGIN@: When the user logged into the account
  - IDLE: How long it has been since the user interacted with the system
  - JCPU: How much total CPU time the account has used
  - PCPU: How much CPU time the account’s current command (process) has used
  - WHAT: What command the account is currently running
The “id” Program: Pulls out data concerning the current user process as well as any other user id passed to the argument. Commonly used optioons for the “id” command include:
- -g/–group: Displays the account’s current group’s GID, which is either the account’s default group or a group reached by using the newgrp command.
- -G/–groups: Displays all the account’s group memberships via each one’s GIDs.
- -n/–name: Displays the account’s name instead of UID or group name instead of GID by using this switch with the -g, -G, or -u options.
- -u/–user: Displays the account’s UID.
The “last” command pulls information from the “/var/log/wtmp” file to displays a list of accounts with either the last time they logged in/out of the system or if they are still logged on. Additionally, it shows when system reboots occurred and when the wtmp file started.
- The “/var/log/wtmp” file usually gets automatically rotated via the cron utility, so if you need information from old wtmp files, use the “-f” switch ( -f /var/log/ wtmp.1 viewa data from the /var/log/wtmp.1 file).

Managing Disk Space Usage in Linux

As a system administrator, set quotas (via inode numbers) that limit system users’ disk space consumption to prevent a filesystem from filling up with files/digital junk; Linux can limit both the:

Number of files a user/group may create
Total filesystem space consumed by a single/group user.

In most situation, enabling filesystem quotas can be accomplished in 4 steps:

Modify “/etc/fstab” file to enable filesystem quota support. The modification is simple; edit the file and add either usrquota or grpquota or both to the filesystem’s mount options
Remount the filesystem. Once you have the /etc/fstab file modified:
- If the filesystem is already mounted, unmount it via the “umount” command, then mount the system, using the “mount -a” command, which mounts any unmounted filesystems in the “/etc/fstab” file.
- Check if the mount was successful with the mount command and the grep utility. The mounted filesystem now has both usrquota (user quotas) and grpquota (group quotas) enabled.
Create the quota files via the “quotacheck” utility.
- The “-c” switch creates the needed files via a scan of the filesystem, recording any current quota usage.
- The “-u” option creates the “aquota.user” file.
- The “-g” option creates the “aquota.group” file.
  - If only implementing user quotas and not group, you could leave off the -g switch and vice versa.
  - If setting up quotas on more than one filesystem, issue the “quotacheck” command one time with the “-a” option along with the other command switches; it created the desired quota files for any quota-enabled filesystems mounted in the /etc/mtab file.
Establish user or group quota limits and grace periods.
- If you have problems enabling filesystem quotas, turn them off with the “quotaoff ” command.
  - The “-a” option turns them off for all the system’s quota-enabled filesystems.
  - Specify user quotas “-u” and/or group quotas “-g” in the command.
  - Once the issues are resolved, turn filesystem quotas on with the “quotaon” command.
- With the quota files created, use the “edquota” utility to create quota limits for user accounts and/ or groups.
  - To edit user quotas, use the -u option (which is the default)
  - Edit group quotas, use the -g switch.
  - The “edquota” command uses the vim (vi) editor for the quota file. In the quota file, there are two preset items, blocks (blocks used) and inodes (number of current files), that you cannot permanently modify because this information was obtained when the “quotacheck” command was run and is not set via the “edquota” utility.
  - You can modify the soft and hard limits for both blocks and inodes.
    - When setting a hard block limit, you are setting the maximum number of blocks the user can fill with data.
    - When you set inode hard limits, you are setting the total number of files that the user can create.
    - Once the user hits either of these limits, no more disk space or file creation is available for that account on this particular filesystem.
  - Soft limits are more forgiving. When a user hits a set soft limit, they get a grace period that allows them to go passed this limit for a small amount.
  - Use the “edquota -t” command to establish the grace period for any soft limits set for both blocks and inodes
- Double-check your modifications with the “quota” command
- Run another check of all your quota limit filesystems with the “repquota” command.
- Use a cron job to set up automatic checks of your filesystems’ quotas with “quotacheck” utility.

Summary: How to Manage Linux Groups and Users

Knowing how to manage Linux groups and usersn involves many moving parts including:

Understanding the files used in the account creation process
Troubleshooting authentication issues for a particular user is necessary.
Using user identification utilities.
Understanding user groups and their impact on the authorization process in regards to access to files and directories.