User Management Commands

Linux user management cheatsheet — useradd, usermod, userdel, passwd, groupadd. Create users with home dirs, add to groups, set passwords, and manage permissions on Linux.

7 min read

What it is

A collection of commands for managing users and groups on a Linux system, useful for system administrators and anyone needing to control access to resources.

Installation

User management commands are typically built into the Linux operating system and do not require separate installation.

Core Concepts

  • User: An entity that can log into the system and interact with resources. Each user has a unique username and a User ID (UID).
  • Group: A collection of users. Users can belong to multiple groups, and group memberships determine permissions for shared resources. Each group has a unique Group ID (GID).
  • Primary Group: The default group a user belongs to.
  • Supplementary Groups: Additional groups a user is a member of.
  • Home Directory: A personal directory for each user, typically located at /home/<username>.
  • Shell: The command-line interpreter that a user interacts with upon login.

Commands / Usage

User Management

Creating Users:

  • sudo useradd johndoe
    • Creates a new user account named johndoe with default settings.
  • sudo useradd -m -d /home/jane -s /bin/bash jane
    • Creates a new user jane, creates their home directory /home/jane, and sets their default shell to /bin/bash.
  • sudo useradd -g users -G developers,testers -c "John Doe" jdoe
    • Creates user jdoe. Sets their primary group to users, adds them to supplementary groups developers and testers, and sets the comment field to "John Doe".
  • sudo useradd -s /sbin/nologin serviceuser
    • Creates a user serviceuser with no login shell, often used for running services.

Modifying Users:

  • sudo usermod -l janedoe jane
    • Renames the user jane to janedoe.
  • sudo usermod -d /home/newjane -m janedoe
    • Changes the home directory of janedoe to /home/newjane and moves existing files.
  • sudo usermod -s /bin/zsh janedoe
    • Changes the default shell for janedoe to /bin/zsh.
  • sudo usermod -aG sudo janedoe
    • Adds janedoe to the sudo group without removing them from other supplementary groups.
  • sudo usermod -G developers janedoe
    • Sets janedoe’s supplementary groups to only developers. Existing supplementary groups are removed.
  • sudo usermod -c "Jane Doe, Marketing" janedoe
    • Updates the comment (GECOS) field for janedoe.

Deleting Users:

  • sudo userdel johndoe
    • Deletes the user account johndoe but leaves their home directory and mail spool.
  • sudo userdel -r johndoe
    • Deletes the user account johndoe and also removes their home directory and mail spool.

Viewing User Information:

  • id johndoe
    • Displays the UID, GID, and group memberships for the user johndoe.
  • finger johndoe
    • Shows detailed information about the user johndoe, including login name, real name, terminal, login time, etc. (may need to be installed: sudo apt install finger or sudo yum install finger).
  • getent passwd johndoe
    • Retrieves the entry for johndoe from the password database (which includes user information).
  • getent group developers
    • Retrieves the entry for the developers group from the group database.

Password Management

Setting/Changing Passwords:

  • sudo passwd johndoe
    • Allows the current user (with sudo) to change the password for johndoe.
  • passwd
    • Allows the logged-in user to change their own password.
  • sudo passwd -d johndoe
    • Deletes the password for johndoe, making the account accessible without a password (use with extreme caution).
  • sudo passwd -l johndoe
    • Locks the password for johndoe, preventing login.
  • sudo passwd -u johndoe
    • Unlocks the password for johndoe.

Group Management

Creating Groups:

  • sudo groupadd developers
    • Creates a new group named developers.
  • sudo groupadd -g 1005 webteam
    • Creates a new group webteam with a specific GID of 1005.

Modifying Groups:

  • sudo groupmod -n webteam webdevelopers
    • Renames the group webteam to webdevelopers.
  • sudo groupmod -g 1006 webdevelopers
    • Changes the GID of the webdevelopers group to 1006.

Deleting Groups:

  • sudo groupdel developers
    • Deletes the group developers. This will fail if any user has this group as their primary group.

Adding/Removing Users from Groups (Manual):

  • sudo gpasswd -a johndoe developers
    • Adds johndoe to the developers group.
  • sudo gpasswd -d johndoe developers
    • Removes johndoe from the developers group.

Permissions and Ownership

Changing File/Directory Ownership:

  • sudo chown janedoe:developers /var/www/html
    • Changes the owner of /var/www/html to janedoe and the group owner to developers.
  • sudo chown -R wilson:wilson /home/wilson/projects
    • Recursively changes the owner and group of all files and directories within /home/wilson/projects to wilson.
  • sudo chown janedoe: /var/www/html
    • Changes only the owner of /var/www/html to janedoe, leaving the group unchanged.

Changing File/Directory Permissions:

  • sudo chmod 755 /usr/local/bin/myscript.sh
    • Sets permissions for myscript.sh to rwxr-xr-x (owner: read, write, execute; group: read, execute; others: read, execute).
  • sudo chmod u+x /usr/local/bin/myscript.sh
    • Adds execute permission for the owner (u+x) to myscript.sh.
  • sudo chmod g-w /data/shared_file.txt
    • Removes write permission for the group (g-w) from shared_file.txt.
  • sudo chmod o=r /data/public_info.txt
    • Sets permissions for others (o=) to only read (r) for public_info.txt.
  • sudo chmod -R a+rX /srv/app/config
    • Recursively adds read permission for all (a+r) to /srv/app/config and its contents. X (capital X) grants execute permission only if it’s a directory or if execute permission is already set for any user.

Common Patterns

  • Adding a user and immediately setting their password:

    sudo useradd -m newuser
sudo passwd newuser
    • Create the user with a home directory, then set their password interactively.

  • Creating a user for a web server with restricted access:

    sudo useradd -r -s /sbin/nologin -d /var/www/myapp www-data
sudo chown -R www-data:www-data /var/www/myapp
sudo chmod -R 755 /var/www/myapp
    • Create a system user (-r) with no login shell (-s /sbin/nologin) and a specific home directory. Then, set ownership and permissions for the web content.

  • Granting a user sudo privileges:

    sudo usermod -aG sudo username
    • Appends the user to the sudo group, allowing them to run commands with sudo.

  • Checking who is logged in and their groups:

    who | awk '{print $1}' | sort | uniq | xargs -I {} id {}
    • Lists all unique logged-in users and then displays their id information.

  • Finding all files owned by a specific user:

    sudo find / -user olduser -print
    • Searches the entire filesystem for files owned by olduser.

  • Changing ownership of all files in a directory to a new user and group:

    sudo chown -R newuser:newgroup /path/to/directory
    • Recursively changes ownership for all items within the specified directory.

Gotchas

  • useradd vs adduser: useradd is a low-level utility that creates the user account but might not set up a home directory or prompt for a password by default. adduser (on Debian/Ubuntu systems) is a higher-level script that is more interactive and user-friendly, often creating the home directory, setting up skeleton files, and prompting for user information and password.
  • usermod -G overwrites supplementary groups: When using usermod -G, it replaces the user’s existing supplementary groups with the ones specified. Use usermod -aG to append groups.
  • Permissions after userdel -r: While userdel -r removes the user’s home directory, files they owned in other locations might still exist and become orphaned (owned by a non-existent UID/GID). You might need to use find and chown to reassign ownership.
  • UID/GID conflicts: Manually assigning UIDs or GIDs with useradd -u or groupadd -g can lead to conflicts if the ID is already in use by another user or group, potentially causing permission issues.
  • Log out/in required: Changes to group memberships often require the user to log out and log back in for the new group permissions to take effect.
  • /etc/passwd, /etc/shadow, /etc/group: These files store user and group information. Direct editing is generally discouraged and risky; use the provided commands instead. /etc/shadow contains hashed passwords and is only readable by root.
  • System users: Users created with useradd -r (or often with UIDs below 1000) are typically considered system users and may have different default permissions or no home directories.