Linux is a multi-user operating system i.e., it allows multiple users on different computers or terminals to access a single system. This makes it mandatory to know how to perform effective user management; how to add, modify, suspend, or delete user accounts, along with granting them the necessary permissions to do their assigned tasks. For this multi-user design to work properly there needs to be a method to enforce concurrency control. This is where permissions come in to play.

Normally Linux/Unix based systems have two user accounts; a general user account, and the root account, which is the super user that can access everything on the machine, make system changes, and administer other users. Some variants of Linux work a little differently though. Like in Ubuntu, we can’t login directly as root by default, and need to use sudo command to switch to root-level access when making changes.

User Permissions

Permissions or access rights are methods that direct users on how to act on a file or directory. There are three basic access rights viz., read, write, and execute.

• Read –  read permission allows the contents of a file to be viewed. Read permission on a directory allows you to list the contents of a directory.
• Write – write permission on a file allows you to modify contents of that file. Write permission allows you to edit the contents of a directory or file.
• Execute – for a file, execute permission allows you to run the file as an executable program or script. For a directory, the execute permission allows you to change to a different directory and make it your current working directory.

The command  ls -l <directory/file> is used to view the permissions on a file or directory, remember to replace the information in the < > with the actual file or directory name. Below is sample output for the ls command:

-rw-r--r--  1 root  wheel  5581 Sep 10  2014 /etc/passwd

The access permissions are denoted by the first ten characters. Starting with “_”, indicating the type of resource viz., ‘d’ for directory, ‘s’ for any special file, and “_” for a regular file. Following three characters “r w -” define the owner’s permissions to the file. Here, file owner has ‘read’ and ‘write’ permissions only. The next three characters “r – –” are the permissions for members of the same group as the file owner, which in this instance is ‘read’ only. The last three characters show permissions for all other users and in this instance it is ‘read’ only.

Creating and Deleting User Accounts

In order to create a new standard user, we use useradd command. The syntax is as follows:

useradd <user-name>

The useradd command is the most portable command to create users across various Linux distributions. It provides with it a range of variables, some of which are explained in the table below:

Once a user is created, passwd command is used to set a password for the new user. Root privileges are needed to change a user password. The syntax is as follows:

passwd <user-name>

The user will be able to change password anytime using passwd command once the user is logged in. Below is an example:

$
>
>
>
>
>

passwd
Changing password for testuser.
old password:
Enter new password:
Retype new password:
passwd: password updated successfully

This is useful when you want to create a user who just needs to login and use the system in it’s current state without having to store any personal files, etc. For example, an administrator needs access to do his/her duties while a regular user might want their own home directory to store their files etc.

We have another convenient way of creating user accounts which might come in handy for first-time system administrators. There is an adduser utility which, however, needs to be installed as a new package. The installation command for Debian/Ubuntu system is as under:

apt-get install adduser

The adduser utility automatically creates a home directory and sets default group, shell, etc. To create a new standard user use adduser command; the syntax is as follows:

adduser <user-name>

Running this command will result in a series of optional information prompts. We should include user-name and a password along with the command.

Once the user account is created, full account information is stored in /etc/passwd file. This file contains a record per system user account and has the following format.

[username]:[x]:[UID]:[GID]:[comment]:[home_dir]:[default-shell]

• [username] is the created user and [comment] part is the optional description.
• x in field indicates that the account is protected by a shadowed password stored in /etc/shadow, which is required for the user login.
• [UID] and [GID] fields are integers representing User ID and the primary Group ID to which user belongs.
• [home_dir] indicates the absolute path to user’s home directory.
• [default-shell] is the shell that is allocated to this user when it logs into the system.

Group information is stored in /etc/group file. Each record has the following format:

[group]:[group-password]:[GID]:[group-members]

Removing a user account can be simply done by using userdel command. The syntax is explained below:

1

userdel <user-name>

Using the command above will only delete user’s account. User’s home directory and other files will not be deleted.

In order to completely remove the user, his home directory, and other files belonging to user, use userdel command with additional parameters as shown below:

userdel -r <user-name>

It is important to follow security policies and therefore, it is strongly recommended to use unique passwords for each account, without any compromises.

Modifying User Accounts

Once a user account is created, we can edit information associated with the user using usermod command, whose basic syntax is as follows:

usermod [options] [user-name]

Setting the Expiry Date for an Account

Use —expiredate flag followed by a date in YYYY-MM-DD format.

usermod --expiredate 2015-08-30 testuser

Adding User to Supplementary Groups

Use the combined -aG or —append —groups option, followed by a comma separating list of groups.

usermod --append --groups root,test-users testuser

Changing Default Location of User’s Home Directory

Use -d or —home option, followed by the absolute path to the new home directory.

usermod --home /tmp testuser

Changing the Shell the User will use by Default

Use  -s  or –shell option, followed by the path to the new shell.

usermod --shell /bin/sh testuser

These operations can be carried out together using the command below:

usermod --expiredate 2015-08-30 --append --groups root,users --home /tmp --shell /bin/sh testuser

Disabling Account by Locking Password

Use -L or –lock option to lock a user’s password or disable a user account.

usermod --lock testuser

Unlocking User Password

Use –u or –unlock option to unlock a user’s password that was previously locked or a user that was disabled.

usermod --unlock testuser

$ groupadd test_group 

$ chown :test_group test_file.txt 

$ usermod -aG test_group test-user  

$ groupdel [group]