Users and groups
Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.
Overview
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.
Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».
Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.
Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.
Permissions and ownership
The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:
How to Add or Remove Linux User From Group
Linux is by default a multi-user system (meaning many users can connect to it simultaneously and work), thus Linux user management is one of the fundamental tasks of a system administrator, which includes everything from creating, updating, and deleting user accounts or user groups on a Linux system.
In this short quick article, you will learn how to add or remove a user from a group in a Linux system.
Check a User Group in Linux
To find out what group a user is in, just run the following groups command and provide the username (tecmint in this example) as an argument.
# groups tecmint tecmint : tecmint wheel
To find out the group of root user in Linux, just run the groups command without any argument.
# group root
Add a User to a Group in Linux
Before trying to add a user to a group, ensure that the user exists on the system. To add a user to a certain group, use the usermod command with the -a flag which tells the usermod to add a user to the supplementary group(s), and the -G option specifies the actual groups in the following format.
In this example, tecmint is the username and postgres is the group name:
# usermod -aG postgres tecmint # groups tecmint
Remove a User from a Group in Linux
To remove a user from a group, use the gpasswd command with the -d option as follows.
# gpasswd -d tecmint postgres # groups tecmint
Additionally, on Ubuntu and its derivatives, you can remove a user from a specific group using the deluser command as follows (where tecmint is the username and postgres is the group name).
$ sudo deluser tecmint postgres
For more information, see the man pages for each of the different commands we have used in this article.
$ man groups $ man usermod $ man gpasswd $ man deluser
You will also find the following user management guides very useful:
Delete user and group in linux
NAME
deluser, delgroup - remove a user or group from the system
SYNOPSIS
deluser [options] [--force] [--remove-home] [--remove-all-files] [--backup] [--backup-to DIR] user deluser --group [options] group delgroup [options] [--only-if-empty] group deluser [options] user group COMMON OPTIONS [--quiet] [--system] [--help] [--version] [--conf FILE]
DESCRIPTION
deluser and delgroup remove users and groups from the system according to command line options and configuration information in /etc/deluser.conf and /etc/adduser.conf. They are friendlier front ends to the userdel and groupdel programs, removing the home directory as option or even all files on the system owned by the user to be removed, running a custom script, and other features. deluser and delgroup can be run in one of three modes: Remove a normal user If called with one non-option argument and without the --group option, deluser will remove a normal user. By default, deluser will remove the user without removing the home directory, the mail spool or any other files on the system owned by the user. Removing the home directory and mail spool can be achieved using the --remove-home option. The --remove-all-files option removes all files on the system owned by the user. Note that if you activate both options --remove-home will have no effect because all files including the home directory and mail spool are already covered by the --remove-all-files option. If you want to backup all files before deleting them you can activate the --backup option which will create a file username.tar(.gz|.bz2) in the directory specified by the --backup-to option (defaulting to the current working directory). Both the remove and backup options can also be activated for default in the configuration file /etc/deluser.conf. See deluser.conf(5) for details. If you want to remove the root account (uid 0), then use the --force parameter; this may prevent to remove the root user by accident. If the file /usr/local/sbin/deluser.local exists, it will be executed after the user account has been removed in order to do any local cleanup. The arguments passed to deluser.local are: username uid gid home-directory Remove a group If deluser is called with the --group option, or delgroup is called, a group will be removed. Warning: The primary group of an existing user cannot be removed. If the option --only-if-empty is given, the group won't be removed if it has any members left. Remove a user from a specific group If called with two non-option arguments, deluser will remove a user from a specific group.
OPTIONS
--conf FILE Use FILE instead of the default files /etc/deluser.conf and /etc/adduser.conf --group Remove a group. This is the default action if the program is invoked as delgroup. --help Display brief instructions. --quiet Suppress progress messages. --system Only delete if user/group is a system user/group. This avoids accidentally deleting non-system users/groups. Additionally, if the user does not exist, no error value is returned. This option is mainly for use in Debian package maintainer scripts. --backup Backup all files contained in the userhome and the mailspool-file to a file named /$user.tar.bz2 or /$user.tar.gz. --backup-to Place the backup files not in / but in the directory specified by this parameter. This implicitly sets --backup also. --remove-home Remove the home directory of the user and its mailspool. If --backup is specified, the files are deleted after having performed the backup. --remove-all-files Remove all files from the system owned by this user. Note: --remove-home does not have an effect any more. If --backup is specified, the files are deleted after having performed the backup. --version Display version and copyright information.
RETURN VALUE
0 The action was successfully executed. 1 The user to delete was not a system account. No action was performed. 2 There is no such user. No action was performed. 3 There is no such group. No action was performed. 4 Internal error. No action was performed. 5 The group to delete is not empty. No action was performed. 6 The user does not belong to the specified group. No action was performed. 7 You cannot remove a user from its primary group. No action was performed. 8 The required perl-package 'perl modules' is not installed. This package is required to perform the requested actions. No action was performed. 9 For removing the root account the parameter "--force" is required. No action was performed.
FILES
SEE ALSO
deluser.conf(5), adduser(8), userdel(8), groupdel(8)
COPYRIGHT
Copyright (C) 2000 Roland Bauerschmidt. Modifications (C) 2004 Marc Haber and Joerg Hoh. This manpage and the deluser program are based on adduser which is: Copyright (C) 1997, 1998, 1999 Guy Maor. Copyright (C) 1995 Ted Hajek, with a great deal borrowed from the original Debian adduser Copyright (C) 1994 Ian Murdock. deluser is free software; see the GNU General Public Licence version 2 or later for copying conditions. There is no warranty.
© 2019 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.