GNU/Linux – Users and Groups

-

Managing users and groups on GNU/Linux (referred to as Linux for brevity going forward) is done differently than on other operating systems, particularly those that make heavy (or nearly exclusive) use of graphical user interfaces. Linux was a command-line first operating system, and most of the administration associated with it is typically done via the same commands to this day. I hesitate to trust a Linux sysadmin that prefers to manage users or groups via a GUI. In this post, I aim to explain some of the common administrative tasks that you will perform as it relates to this subject.

Linux, deriving from Unix (and earlier MULTICS), is and always has been a multi-user operating system. Many users were expected to connect to either a mainframe, or a single server using a dedicated user account to perform their work. In Linux, this remains the same. Usernames are stored in the /etc/passwd file. This file is owned by user root but has read access for everyone on the Linux system. A sample output of /etc/passwd may look like below. These examples come from a machine running Oracle Linux, a downstream version of Red Hat Enterprise Linux distributed by Oracle Corporation.

$ cat /etc/passwd
tom:x:1000:999:users:/home/tom:/bin/bash
dick:x:1001:999:users:/home/dick:/bin/bash
harry:x:1002:999:users:/home/harry:/bin/bash
adminguy:x:1003:998:admins:/home/adminguy:/bin/ksh

File /etc/passwd is delimited by the colon character : and provides useful information about users on the Linux system. The fields of /etc/passwd can be interpreted as follows in the below order.

  1. Username
  2. User’s encrypted password, denoted by placeholder: x
  3. Numerical UID of the user
  4. Numerical UID of the user’s primary group
  5. The user’s home directory
  6. The default shell of the user (bash, ksh, csh, etc.)

It should be noted that other Linux like systems may contain additional fields in /etc/passwd to provide for additional information such as the user’s full name, department, or other information. This will vary from system to system. An easy way to get the list of all users on the system is to use the cut utility to extract the first field from /etc/passwd.

$ cat /etc/passwd | cut -d: -f1
tom
dick
harry
adminguy

Linux also provides the id command that can be used to get information about a single user. For example, the below id oracle command returns user and group information about the operating system user: oracle.

$ id oracle
uid=1010(oracle) gid=1020(oinstall) groups=1020(oinstall),1030(dba),1040(oper)

Creating users and groups in most Linux distributions is relatively simple. We can use commands useradd and groupadd as the root user.

# useradd sally
# groupadd networkadmins

We can then use the id command again to see that user sally was created successfully. The getent command, when supplied the group argument will return a list of groups on the system, we use the grep command to show only those that contain “network” in the name.

# id sally
uid=1041(sally) gid=1041(sally) groups=1041(sally)
# getent group | grep network
networkadmins:x:1003:

A few other common commands that you will regularly use are commands to either change a user’s primary group (perhaps during a department transfer of an employee) or to add to a user’s list of secondary groups. The usermod command can handle each of these cases.

The below commands create the oracle user, change its primary group to oinstall and add it to secondary groups oper and dba.

# #create user oracle, groups oinstall,dba,oper
# useradd oracle
# groupadd oinstall
# groupadd dba
# groupadd oper
# #change oracle user's primary group to oinstall
# usermod -g oinstall oracle
# #assign secondary groups dba and oper to oracle
# usermod -a -G dba oracle
# usermod -a -G oper oracle
# #list characteristics of user oracle
# id oracle
uid=1002(oracle) gid=1004(oinstall) groups=1004(oinstall),1005(dba),1006(oper)

Another common task that you will routinely perform is to reset the password for a user. This can be carried out using the passwd command followed by the username.

# passwd oracle
Changing password for user oracle.
New password: <password-here>
Retype new password: <password-again-here>
passwd: all authentication tokens updated successfully.

This commands summarize the most common tasks (relating to users/groups) that you will likely perform as a Linux sysadmin on a regular basis. There are more commands that you will eventually need, but a quick web search for your Linux distribution’s documentation will likely take you to already well-written instructions for how to do so.

Hope this helps,
Dustin

Leave a Reply

Your email address will not be published. Required fields are marked *