In this article, you will learn –
How to manage users and groups on a Linux systemCreate a new user account in LinuxAdd user to a group in LinuxCreate user group in LinuxRemove user group in Linux
Manage Linux Users
But, before we discuss how to manage Linux users and Linux groups, let me explain why having a distinct user account is vital from a security standpoint. Many users begin using the root account on the first boot of a Linux server, which is not recommended. It is not a good idea to execute day-to-day server operations using a root account. The root user is a superuser account. Having it logged in guarantees that at least once the user will run an incorrect command, and the root user will do it, most of the time without even asking for confirmation. When you log in as a non-root user, the user has fewer access on the system and is less likely to do something bad. Second, adding users to a group or groups rather than managing individual users makes it easier to manage multiple users in Linux. This takes us to the topic of Linux user groups. It may be tedious for some desktop users, but it is a useful function for system administrators.
Linux User Groups
Managing multiple users is a difficult chore for a system administrator, especially when the users come from various domains. An administrator may want to grant one type of user access to a directory while denying other types of users access to other directories on the system. Alternatively, an administrator may want to have multiple sorts of users with varied permissions in the same directory. It is possible to accomplish this on Linux by creating Linux user groups. Assume we own a software development firm. All project directories are stored on a central server. We only want to provide Python programmers access to the Python directory, which contains all of the Python code. To demonstrate, we will create a new user named sandy. Sandy is a Python developer who requires access to our server’s Python code directory. So let’s start by making his account.
Create a new user in Linux
Creating a new user in Linux is extremely easy from GUI. For example, I am using Manjaro Linux (Deepin), and creating a new user is like creating a new note in any note-taking application. Just type the username & password, and that’s it.Accounts Settings in Manjaro LinuxCreate a new user in LinuxCreate a new user in Linux But if you need to create a new user on a Linux server, the following two commands can do the job –
useraddadduser
useradd – This command is available in all Linux distros. It accepts different arguments to create a new user in Linux. If run without arguments, the command will create a user account without a home directory, shell extension, etc. Though, you can set the default options in /etc/default/useradd so that each time a user is created, the command takes the default values from /etc/default/useradd automatically. adduser – A command written in perl that uses useradd in the backend. Unlike useradd, it only requires the username and runs a setup in the terminal to create a user. It is easier than useradd. adduser is only available in Ubuntu and other Debian-based Linux distributions.
How to use useradd?
useradd -m sandy
The above command will create a user account with a home directory at /home/sandy. Now set the password for the user.
sudo passwd sandy
And that’s it. A user has been created. If you want to create a different home directory for the user, the -d parameter is for that.
sudo useradd -d /home/james sandy
You can also set the shell in the useradd command. Just use the -s parameter.
sudo useradd -d /home/james -s /bin/bash sandy
How to use adduser?
As I mentioned above, adduser is way easier than useradd. It only requires the username. adduser asks questions and sets the input values as the parameter values in useradd command.
sudo adduser sandy
If you are using Ubuntu or other Debian-based distros, go ahead with adduser command. This command was created to simplify the user creation process on Linux systems.
Add User group in Linux
As mentioned above, managing Linux users is easier by adding them to one or Linux groups. We can create a group called ‘python-programmers’, add sandy, our python developer, to this group, and then grant him access to the Python directory.
groupadd python-programmer
Add user to a group in Linux
Now add sandy to the python-programmer group.
sudo usermod -aG python-programmer sandy
Add group to a directory in Linux
Change the group of the Python directory that exists under $HOME/Projects/Python.
sudo chown -R :python-programmer $HOME/Projects/Python
Add Permissions To Directory
Now add read & write permission to the directory for the group users.
sudo chmod -R g+w $HOME/Projects/Python
Remove Permissions From Directory
And finally, disallow other users to access the Python directory.
sudo chmod -R o-x Python
And the job is done! Now the Python directory can either be accessed by the root user or any user under the ‘python-programmers’ group.
But there is a problem!
The above procedure will do the job. It will grant access to users of python-programmers to the Python directory, but there is a problem. The above approach will only allow one group of users to access the Python directory at a time. If you want to allow some other developers access to the Python directory, you will have to remove access from the previous group and set the new group as the directory owner. To resolve this problem and allow access to multiple types of users at a time, we can use access control lists.
Access control lists
Let’s say we have a group of auditors in our company. We want to allow the group auditors to have ‘read’ access to the Python directory without removing any other group from it.
setfacl -m g:auditors:rx -R $HOME/Projects/Python
And that is it. Now the users of the python-programmers group have read & write access, and users of the auditors’ group have read access on the Python directory. If you want to allow auditors also to have write access, add the w in the above command.
setfacl -m g:auditors:rwx -R $HOME/Projects/Python
Remove user in Linux
You may also need to remove a user in Linux. It can be done using userdel command.
userdel sandy
userdel: The user sandy is being used by process 3861
List all processes of a user in Linux
ps -u sandy Output - PID TTY TIME CMD 4831 ? 00:00:00 systemd 4832 ? 00:00:00 (sd-pam) 4845 ? 00:00:00 gnome-keyring-d 4849 tty5 00:00:00 gdm-x-session 4851 tty5 00:00:10 Xorg 4856 ? 00:00:00 dbus-daemon 4860 tty5 00:00:00 gnome-session-b 4958 ? 00:00:00 ssh-agent 4961 ? 00:00:00 gvfsd 4966 ? 00:00:00 gvfsd-fuse 4975 ? 00:00:00 at-spi-bus-laun 4980 ? 00:00:00 dbus-daemon 4983 ? 00:00:00 at-spi2-registr 4997 ? 00:00:00 gnome-keyring-d 5012 tty5 00:00:21 gnome-shell 5023 ? 00:00:00 pulseaudio 5032 tty5 00:00:00 ibus-daemon 5034 ? 00:00:00 xdg-permission- 5042 tty5 00:00:00 ibus-dconf 5044 ? 00:00:00 gnome-shell-cal 5046 tty5 00:00:00 ibus-x11 5050 ? 00:00:00 ibus-portal 5057 ? 00:00:00 evolution-sourc 5066 ? 00:00:00 dconf-service 5073 ? 00:00:00 goa-daemon 5084 ? 00:00:00 goa-identity-se 5094 ? 00:00:00 gvfs-udisks2-vo 5099 ? 00:00:00 gvfs-gphoto2-vo 5103 ? 00:00:00 gvfs-goa-volume 5107 ? 00:00:00 gvfs-afc-volume 5112 ? 00:00:00 gvfs-mtp-volume 5116 tty5 00:00:00 gsd-power 5117 tty5 00:00:00 gsd-print-notif 5119 tty5 00:00:00 gsd-rfkill 5121 tty5 00:00:00 gsd-screensaver 5125 tty5 00:00:00 gsd-sharing 5128 tty5 00:00:00 gsd-smartcard 5130 tty5 00:00:00 gsd-xsettings 5131 tty5 00:00:00 gsd-wacom 5139 tty5 00:00:00 gsd-sound 5144 tty5 00:00:00 gsd-a11y-settin 5147 tty5 00:00:00 gsd-color 5150 tty5 00:00:00 gsd-clipboard 5154 tty5 00:00:00 gsd-housekeepin 5155 tty5 00:00:00 gsd-datetime 5160 tty5 00:00:00 gsd-media-keys 5162 tty5 00:00:00 gsd-keyboard 5164 tty5 00:00:00 gsd-mouse 5186 tty5 00:00:00 gsd-printer 5217 tty5 00:00:00 gsd-disk-utilit 5219 tty5 00:00:01 nautilus-deskto 5232 ? 00:00:00 gvfsd-trash 5254 ? 00:00:00 evolution-calen 5267 ? 00:00:00 evolution-calen 5282 ? 00:00:00 evolution-addre 5289 ? 00:00:00 evolution-addre 5310 tty5 00:00:00 ibus-engine-sim 5311 ? 00:00:00 gvfsd-metadata 5364 ? 00:00:00 gvfsd-network 5375 ? 00:00:00 gvfsd-dnssd 5443 tty5 00:00:00 update-notifier 5461 tty5 00:00:02 gnome-software 5563 ? 00:00:03 nautilus 5951 tty5 00:00:00 deja-dup-monito
Or there is another command to list users’ processes in Linux, pgrep.
pgrep -u sandy Output - 4831 4832 4845 4849 4851 4856 4860 4958 4961 4966 4975 4980 4983 4997 5012 5023 5032 5034 5042
Kill all process used by the user
killall command will kill all the users’ processes.
killall -u sandy
Remove a Linux user
After all the users’ processes are killed, we can delete the user.
userdel sandy
As I mentioned above, by default, the command will not remove the user’s home directory. To also remove the user’s home directory, add –-r argument to the command.
userdel -r sandy
Remove user from a group in Linux
If you decide to snatch away rights from a user, remove the user from the group.
sudo gpasswd -d sandy python-programmers
If the user is a member of the group, it will output the following –
Removing user sandy from group python-programmers
Remove a group in Linux
If you want to remove a group in Linux, use groupdel command.
groupdel username
If the deleting group is the primary group for any of the users on the system, the group can not be deleted. In that case, change the primary group of that user. Delete auditors group from the system.
groupdel auditors
Conclusion
That’s all there is to it. Managing Linux users and Linux groups is simple. Once you’ve learned how to manage users, you’ll be able to keep your files safe and private without relying on a third-party library or service. If you believe I have overlooked something in the article, please let me know in the comments section below. I will update this article every three months with your suggestions (with your name). Please let me know if you don’t understand any of the instructions in the comments area below. If you are a nerd and discovered an error in the article, please let me know using the Contact us page or by joining our Discord server.
