Managing Users and Groups
Managing Users and Groups#
Concepts#
Groups#
Every user belongs to at least one group. Groups simplify permission management — instead of granting access to individual users, you assign them to a group and set permissions on the group.
Each user has:
- Primary group — assigned when the account is created (usually a group with the same name as the user). New files are owned by this group.
- Supplementary groups — additional groups the user belongs to for extra permissions.
id kmiguel
# uid=1000(kmiguel) gid=1000(kmiguel) groups=1000(kmiguel),27(sudo),4(adm)
# ↑ primary group ↑ supplementary groups
The /etc/group File#
grep sudo /etc/group
sudo:x:27:kmiguel,alice
Format: groupname:password:GID:members
| Field | Meaning |
|---|---|
groupname |
Name of the group |
password |
x (group passwords are rarely used) |
GID |
Numeric group ID |
members |
Comma-separated list of users in this group (supplementary) |
Note: users whose primary group is this group are NOT listed here — they are defined by the GID field in /etc/passwd.
Common System Groups#
| Group | GID | Purpose |
|---|---|---|
root |
0 | Root group |
sudo |
27 | Can use sudo |
adm |
4 | Can read system logs |
www-data |
33 | Web server processes |
plugdev |
46 | Access to removable devices |
docker |
varies | Run Docker without sudo |
lpadmin |
varies | Manage printers |
Creating Users#
useradd — Low-Level Command#
# Basic user creation
sudo useradd alice
# With options (recommended)
sudo useradd -m -s /bin/bash -c "Alice Smith" alice
| Option | Meaning |
|---|---|
-m |
Create a home directory (/home/alice) |
-s /bin/bash |
Set the login shell |
-c "Alice Smith" |
Set the comment (full name) |
-G sudo,adm |
Add to supplementary groups |
-d /home/alice |
Specify home directory path (default: /home/username) |
-e 2026-12-31 |
Account expiration date |
-u 1500 |
Specify UID |
After creating a user with useradd, you must set their password:
sudo passwd alice
# Enter new password twice
adduser — Friendly Wrapper (Debian/Ubuntu)#
adduser is a Debian/Ubuntu-specific interactive wrapper around useradd:
sudo adduser alice
It prompts you for:
- Password
- Full name
- Room number, phone, etc. (optional — just press Enter to skip)
- Creates the home directory automatically
- Copies skeleton files from
/etc/skel/
adduser is preferred on Debian/Ubuntu because it handles defaults correctly and is more user-friendly.
Modifying Users#
usermod — Modify User#
# Add user to a supplementary group (APPEND — preserves existing groups)
sudo usermod -aG sudo alice
# Change the login shell
sudo usermod -s /bin/zsh alice
# Change the home directory (and move files)
sudo usermod -d /home/alice_new -m alice
# Lock an account (disable login)
sudo usermod -L alice
# Unlock an account
sudo usermod -U alice
# Change the username
sudo usermod -l alice_new alice
# Set account expiry
sudo usermod -e 2026-12-31 alice
Critical: When adding to groups, always use -aG (append to groups). Using -G without -a replaces all supplementary groups — this is a common and destructive mistake.
# WRONG — replaces all groups with just "docker"
sudo usermod -G docker alice
# RIGHT — adds "docker" while keeping existing groups
sudo usermod -aG docker alice
Deleting Users#
# Remove user (keeps home directory)
sudo userdel alice
# Remove user AND their home directory
sudo userdel -r alice
# Debian/Ubuntu friendly wrapper
sudo deluser alice
sudo deluser --remove-home alice
Managing Groups#
Creating Groups#
sudo groupadd developers
sudo groupadd -g 2000 developers # with specific GID
Or the Debian/Ubuntu wrapper:
sudo addgroup developers
Deleting Groups#
sudo groupdel developers
sudo delgroup developers # Debian/Ubuntu wrapper
Adding/Removing Users from Groups#
# Add user to group
sudo usermod -aG developers alice
# Or Debian/Ubuntu wrapper:
sudo adduser alice developers
# Remove user from group (Debian/Ubuntu)
sudo deluser alice developers
# On systems without deluser, edit /etc/group manually:
sudo vigr # safe editor for /etc/group
The /etc/skel Directory#
When a new user is created, the contents of /etc/skel/ are copied to their home directory:
ls -la /etc/skel/
# .bash_logout .bashrc .profile
If you want all new users to get a specific configuration file (e.g., a custom .bashrc), put it in /etc/skel/ before creating the accounts.
Password Management#
# Change your own password
passwd
# Change another user's password (requires sudo)
sudo passwd alice
# Force password change on next login
sudo passwd -e alice
# Check password status
sudo passwd -S alice
# alice P 2024-10-15 0 99999 7 -1
# P=has password, L=locked, NP=no password
# Set password aging policy
sudo chage -l alice # view policy
sudo chage -M 90 alice # max 90 days before change required
sudo chage -m 7 alice # min 7 days between changes
sudo chage -W 14 alice # warn 14 days before expiry
Lab#
Exercise 1: Create a User#
# Create a user the Debian/Ubuntu way
sudo adduser testuser
# Enter a password, fill in (or skip) the name fields
# Verify the user was created
grep testuser /etc/passwd
id testuser
ls -la /home/testuser
# The home directory was created with files from /etc/skel
sudo ls -la /home/testuser
Exercise 2: Manage Groups#
# Create a group
sudo addgroup testgroup
# Verify
grep testgroup /etc/group
# Add the test user to the group
sudo adduser testuser testgroup
# Verify
id testuser
groups testuser
# Also add yourself
sudo adduser $(whoami) testgroup
# NOTE: You may need to log out and back in (or run: newgrp testgroup)
# for the new group membership to take effect in your current session
Exercise 3: Group Membership Takes Effect#
# Check your current groups
groups
# If you just added yourself to testgroup, it might not show yet
# Start a new shell with the group active
newgrp testgroup
groups
# Now testgroup should appear
# Exit the newgrp shell
exit
Exercise 4: Modify a User#
# Change the test user's shell
sudo usermod -s /bin/sh testuser
grep testuser /etc/passwd
# Shell should now be /bin/sh
# Change it back
sudo usermod -s /bin/bash testuser
# Lock the account
sudo usermod -L testuser
sudo passwd -S testuser
# Should show 'L' (locked)
# Unlock
sudo usermod -U testuser
Exercise 5: Practice the Dangerous -G vs -aG#
# Check testuser's groups
id testuser
# Safely add to another group
sudo usermod -aG adm testuser
id testuser
# Should now include testgroup AND adm
# If you had used -G without -a:
# sudo usermod -G adm testuser
# testuser would LOSE testgroup membership!
# (Don't run this — just understand the risk)
Exercise 6: Clean Up#
# Delete the test user and their home directory
sudo deluser --remove-home testuser
# Verify
grep testuser /etc/passwd
# Should return nothing
# Delete the test group
sudo delgroup testgroup
# Verify
grep testgroup /etc/group
Review#
1. What is the difference between a primary group and a supplementary group?
A primary group is the default group assigned to a user (usually a group with the same name as the user). New files created by the user are owned by this group. Supplementary groups are additional groups the user belongs to for extra permissions.
2. What is the critical difference between `usermod -G` and `usermod -aG`?
-G sets the user’s supplementary groups to EXACTLY what you specify — replacing all existing groups. -aG (with the -a for append) ADDS the specified group while preserving all existing group memberships. Always use -aG to avoid accidentally removing groups.
3. What is `/etc/skel` used for?
It is a skeleton directory. When a new user is created, the contents of /etc/skel are copied to their new home directory. It typically contains .bashrc, .profile, and .bash_logout.
4. Why is `adduser` preferred over `useradd` on Debian/Ubuntu?
adduser is interactive, creates the home directory automatically, copies skeleton files, prompts for a password, and handles Debian/Ubuntu-specific defaults. useradd is a low-level command that requires explicit flags (like -m for the home directory) and a separate passwd call.
5. How do you force a user to change their password at next login?
sudo passwd -e username — this expires the password immediately, forcing the user to set a new one at their next login.
6. Why might you need to log out and back in after adding yourself to a group?
Group memberships are read at login time. Adding yourself to a group with usermod updates /etc/group but does not affect your current session. You need to log out and log back in (or use newgrp groupname) for the new group to take effect.
7. How do you completely remove a user and all their files?
sudo deluser --remove-home username on Debian/Ubuntu, or sudo userdel -r username. This deletes the user account and their home directory.
Previous: Users, Root, and Sudo | Next: APT and dpkg