Modifying Linux Users and Groups with Commands

Photo from Pexels by fauxels

In this post, we’ll be covering one of the first things any systems admin needs to know how to do: modify user accounts. User accounts are necessary to interact with an operating system; so, it’s important to understand the basic actions surrounding them. User accounts aren’t just for logging on either, it can be for various system processes as well. Additionally, they act as a primary security measure to prevent malicious access.

OVERVIEW

In this post, we’ll add, edit, and remove user accounts and groups.  Among other things, this will allow others to log in with these accounts, enable us to fix accounts for services, or delete accounts that are no longer required.

Typically, since editing users and groups correlates with an existing organization, we’ll be using the following department examples as a reference (notice that brian is a part of both departments):

  • developers: anna, brian
  • operations: cora, brian

NOTE: Distros
While these commands should work on most, if not all, Linux distributions, the commands in this article have been tested on the following distros only: CentOS 7 & Ubuntu 18.04.

Outline

  • How to Create Users & Groups
    • Creating Users
    • Creating Groups
  • How to Alter Users & Groups
    • Altering Users
    • Altering Groups
  • How to Delete Users & Groups
    • Deleting Users
    • Deleting Groups

Prerequisites

HOW TO CREATE USERS & GROUPS

Creating Users

First is creating a new user from scratch. The most basic syntax is as follows: sudo useradd <Username>.

[[email protected] ~]$ sudo useradd anna

Depending on your distro, the new user’s home directory may or may not be created; however, you can explicitly select this by using the -m or -M options.  -m will create the home directory: sudo useradd -m <Username>.

[[email protected] ~]$ sudo useradd -m brian

-M will omit the home directory: sudo useradd -M <UserName>.

[[email protected] ~]$ sudo useradd -M cora

NOTE: sudo
In the following images, since I’m logged in as the root user, I don’t need to explicitly use sudo. On production systems, it is bad practice to execute commands as the root user; however, for testing/demo purposes like this, there’s very little risk.

Creating Groups

By default, a new user will be a part of their own group. To check which group(s) a user currently belongs to, use the id command: id <Username>.

[[email protected] ~]$ id anna
uid=1001(anna) gid=1001(anna) groups=1001(anna)

All of the groups that the user belongs to will be listed next to groups=. The primary group for the user will be next to gid=, any other groups are considered supplementary.

NOTE: uid & gid numbers
All user and group names have numerical values assigned to them. The uid is the User IDentification number and the gid is the Group IDentification number. While you can specifically configure these uid/gid numbers, generally, it’s best to let the system automatically assign them: conflicts can break functionality or create security exposures.

To create a new group, use this syntax: sudo groupadd <GroupName>.

[[email protected] ~]$ sudo groupadd developers

If you’re following the example hierarchy above, go ahead and add the other group now:

[[email protected] ~]$ sudo groupadd operations

NOTE: new groups
By default, a new group will not have any users in it.

To validate further, the getent command will give you some info about a group you specify: getent group <GroupName>.

[[email protected] ~]$ getent group developers
developers:x:1004:
[[email protected] ~]$ getent group operations
operations:x:1005:

HOW TO ALTER USERS & GROUPS

Altering Users

WARNING: Altering users
Ensure you are changing the correct user or group as altering the wrong group can break the operating system.

Next, to change a user’s supplementary groups, use this syntax (the user will be removed from any supplementary groups they were a part of): sudo usermod <UserName> -G <GroupName>.

[[email protected] ~]$ sudo usermod anna -G developers
[[email protected] ~]$ sudo usermod brian -G operations

If needed, you can specify multiple groups at the same time by separating those groups with a comma.

[[email protected] ~]$ sudo usermod cora -G developers,operations

To add a user to more supplementary groups, without removing them from their current supplementary groups, use the -G option with the -a option: usermod <UserName> -G <GroupName> -a.

[[email protected] ~]$ sudo usermod brian -G developers -a

The previous commands should provide this result:

[[email protected] ~]$ id anna ;id brian ;id cora
uid=1001(anna) gid=1001(anna) groups=1001(anna),1004(developers)
uid=1002(brian) gid=1002(brian) groups=1002(brian),1004(developers),1005(operations)
uid=1003(cora) gid=1003(cora) groups=1003(cora),1004(developers),1005(operations)

NOTE: The -g option
A lowercase -g will change the user’s primary group. Unless you’re fixing the user’s primary group, it’s unlikely you’ll want to change this.

Altering Groups

To change a group’s name, use the -n option; for example, to change the group operations into sysadmins: sudo groupmod -n <NewGroupName> <OldGroupName>.

[[email protected] ~]$ sudo groupmod -n sysadmins operations
[[email protected] ~]$ id anna ;id brian ;id cora
uid=1001(anna) gid=1001(anna) groups=1001(anna),1004(developers)
uid=1002(brian) gid=1002(brian) groups=1002(brian),1004(developers),1005(sysadmins)
uid=1003(cora) gid=1003(cora) groups=1003(cora),1004(developers),1005(sysadmins)

If you prefer, the parameters can be moved around to accomplish the same thing: sudo groupmod <OldGroupName> -n <NewGroupName>.

[[email protected] ~]$ sudo groupmod sysadmins -n administrators
[[email protected] ~]$ id anna ;id brian ;id cora
uid=1001(anna) gid=1001(anna) groups=1001(anna),1004(developers)
uid=1002(brian) gid=1002(brian) groups=1002(brian),1004(developers),1005(administrators)
uid=1003(cora) gid=1003(cora) groups=1003(cora),1004(developers),1005(administrators)

NOTE: same gid
Changing the group name will retain the same gid number.

HOW TO DELETE USERS & GROUPS

Deleting Users

WARNING: Deleting Users & Groups
Again, like altering above, ensure you are deleting the correct user or group – deleting the wrong user/group can break the operating system.

Finally, to remove unnecessary users, execute the userdel command: sudo userdel <UserName>.

[[email protected] ~]$ sudo userdel cora

Now, there is no info available for the cora user:

[[email protected] ~]$ id cora
id: cora: no such user

NOTE: uid & gid Availability
Keep in mind, after deleting the user cora in this way, cora’s uid and gid will become available again; so, if you were to add another user named dave, the uid and gid might be the same as cora’s. This means that any files or directories previously owned by cora will now be owned and accessible by dave.

Deleting Groups

Similarly, to delete a group, use the groupdel command: sudo groupdel <GroupName>.

[[email protected] ~]$ getent group administrators
administrators:x:1005:brian
[[email protected] ~]$ sudo groupdel administrators

Now, there’s is no output from getent:

[[email protected] ~]$ getent group administrators

NOTE: gid Availability
Again, if a new group is created, it might have the same gid as the previously deleted group.

CONCLUSION

In this post, we’ve covered the basics of working with Linux user accounts and groups:

  • Adding Users & Groups
  • Modifying Users & Groups
  • Deleting Users & Groups

Now we can provision or alter others’ access to any Linux system!  For further reading and alternative methods for altering users & groups, see Modifying Linux Users and Groups via File Edits.

Leave a Reply