Users and groups
Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.
Overview
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.
Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».
Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.
Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.
Permissions and ownership
The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:
Creating a new user and modifying its privileges in Linux
If you use Linux with a graphical desktop environment like Ubuntu, for example, you can add or remove new users through its Settings. But this is simplified and I have to say a limited way to do that. The right way is to use the command line. And it is the only way if you work with a server Linux system. Below, you will learn all you need to know about how to create, delete, and modify users in the Linux command line.
Simple way to create a new user in Linux.
Many Linux systems have a user-friendly command to add a new user. The command is adduser. You type this command and the username of a new user.
The command will prompt you to create a user password, full name, and some additional information which can be skipped if you want.
And that’s it. The new user is created. This command also creates a home directory for new user ( /home/username )
However, if you also need to grant this user the administrative privileges, you need to add it to the sudo group:
sudo adduser username sudo Now, this new user will be able to execute the administrative commands with sudo .
This was the simplest way to create a new user in Linux. The adduser command is available in many Linux ditros, but in fact, it is a more user-friendly type of the command useradd , which is more advanced. Below, I would like to show you how to use this more advanced command too.
Universal way to create a new user in Linux.
If adduser is not available in your distro or you want to have little more control over the new user. You need to use the command useradd . I know the names are similar and easy to mix. But try to remember that useradd is a more important command. Basically, adduser just points to useradd .
To create a new user with the default options, run:
To check what default options were used to create a user, run:
These are the default rules on my Debian VPS (they may differ for your system. ):
You can change these options and use some more. To see all available options of the useradd command, check its help:
Based on these options, a more complete command would be:
sudo useradd -g users -G sudo -s /bin/bash -m -c "Full name" username Finally, you need to set a password for this user with passwd.
New user’s system privileges
As you have seen I added a new user to the sudo group and granted it administrative privileges. This is what I did on my server and this what you would want to do if you are an admin of the system. But if you create a user on your Linux system for someone else, you probably do not want them to have administrative privileges. So, do not add them to the sudo group.
Setting password and account expiration
If you are a system administrator and you have many uses in your system, besides not including them in the sudo group, you may also want to enhance the security of your system by the expiration time on the passwords and accounts of these new users.
You can do this with the command chage . Note, it is without n . The command is short of change age.
You can see all the available options of this command:
To check if there are any limitations set on a user, run:
Usually, there are no expiration dates by default. But you can set some limits with the command chage :
sudo chage -M 90 -W 30 -E 2020-06-07 username The above command will set a password expiration date to 90 days and warning about the need to update the password to 30 days before the expiration. And the account will expire on June 6, 2020.
You can see that if you check the status of the user:
You can also do some manipulation with users using the command usermod . But I have to skip it because this post will be too long.
How to delete a user
Finally, to delete a user, run this command:
If you also want to remove the home directory of this user, add option -r. But be careful, because it will remove all the data of this user:
Summary
- To create a new user in Linux, you can use the user-friendly command adduser or the universal command useradd . The latter is available in all Linux distros.
- New users do not have administrative privileges by default, to grant them such privileges, add them to the sudo group.
- To set time limits on password and account of a user, use the command chage .
- To delete a user, use the command userdel
Average Linux UserFollow I am the founder of the Average Linux User project, which is a hobby I work on at night. During the day I am a scientist who uses computers to analyze genetic data.