How to Manage Linux User Accounts

The root user is all-powerful and has access to all commands. It has the power to read, write and execute absolutely anything on your server. It is better to disable direct root access to you box and instead log in as another user with more limited privileges. When you need to undertake administrative tasks, you can temporarily elevate to superuser privileges by prefixing commands with the sudo command. Examples:

sudo apt-get install <package>

The sudo program is shipped by default with most Linux distributions, but not all. You will need to install it if it is not part of your distribution. The command for Debian/Ubuntu is:

apt-get install sudo

For CentOS:

yum install sudo

In the following instructions, commands that require root privileges have the sudo prefix. The instructions use low-level user* commands and so should work on most Linux distributions. There is a higher-level program called adduser which is recommended for administration of user accounts on Debian-based distributions, including Ubuntu. Instructions for adduser are at the bottom of this tutorial.

Adding users

To create a new Linux user account, type the following commands, replacing "<username>" with the actual username. For username, I prefer to use people's full names, e.g. "kieranpotts".

sudo useradd <username>
sudo passwd <username>

Create the user's password at the prompt. My preference is to use 12-character strings consisting of a-z, A-Z, 0-9 and special characters. The random.org string generator is an excellent tool for making strong random passwords.

The useradd command accepts a wide variety of parameters. -d <home_dir> sets the user's home directory, which by default would be /home/<username>.

useradd -d /home/<custom_dir> <username>

To create a user without a home directory (something that you might want to do for security reasons):

useradd -M <username>

-e <date> sets the date when the account will expire;

useradd -e 2017-12-31 <username>

More useful still is a feature that allows you to specify an expiry time for the user's password. User accounts effectively become inactive when their passwords expire, unless an administrator extends the expiry time. The -f argument takes an integer for the number of days that the password will remain valid.

useradd -f <username>

In Linux, each user has its own UID (Unique Identification Number). By default, the UID is assigned automatically when you create a new user account (starting at UID 500, 501, 502...). Specify the UID with the -u option.

useradd -u 999 <username>

Users can be immediately added to one or more groups with the -G option. Groups are covered in more detail below.

useradd -G admins,webmasters,hostmasters <username>

The -c flag allows you to add comments to a user account. You may use this feature to log a user's full name or employee ID, for example.

useradd -c "Any comment here" <username>

Finally, sometimes you will create user accounts that will not be used for the purpose of logging in. You can assign different shells to users, and in the following example the user account is given the /sbin/nologin shell.

useradd -s /sbin/nologin <username>

Once a user is created, all of the user account details can be seen in the /etc/passwd file. The following command is also useful for retrieving security information about an account, such as when the password expires or was last changed.

chage <username>

Changing user accounts

To rename a user:

sudo usermod -l <newusername> <oldusername>

The usermod command accepts the same parameters as useradd. To change a user's password, run passwd.

To change the user's home directory and move all the files over from the old home directory:

sudo usermod -d /home/<newhomedir> -m <newusername>

After this command, you can delete the user's old home directory.

sudo rm -rf /home/<oldhomedir>

Deleting users

Use the following command to delete user accounts. The -r flag removes the user's home directory, too.

sudo userdel -r <username>

Groups

In Linux, user groups are a way of organising users. Group membership is administered through the /etc/group file. To create a new user group, use the groupadd command.

sudo groupadd <group_name>

Example:

sudo groupadd webmasters

To add a user to a group:

sudo usermod -G <group_name> <username>

To list all users in a group:

getent group <group_name>

To rename a user group:

sudo groupmod -n <newname> <oldname>

Every user has a default or primary group, which is what they join automatically when they login. When a user creates a file or launches a program, the file or the running process will be associated with the user's current group membership. To create files or run programs in a different group, the user must first call chgrp to switch to another group (of which they must be a member).

chgrp <groupname>

The newgrp command has the same effect and works in the same way.

Sudoers

If the user will need root-level privileges, add the user to the sudoers group. In Ubuntu, this group is appropriately called "sudo", while in CentOS it is known as the "wheel" group.

sudo usermod -aG sudo <username>
sudo usermod -aG wheel <username>

Limited user accounts that are part of the sudo/wheel group can switch to full administrator privilges by prepending administrator commands with "sudo":

sudo <command>

Or, to switch to the root user for the remainder of the session:

sudo su -

To logout of the root user account and return to your own, type "logout".

The sudoers file at /etc/sudoers provides a list of users that have root-level privileges. The file should not be edited directly with a text editor because if you make a mistake with the configuration you could lock out all users from the box entirely. Instead, use the visudo command to edit the sudoers configuration.

For security, all sudo commands require password entry to confirm the action. To receive an email whenever someone uses sudo, you will need to extend the sudoers configuration. Again, rather than edit the /etc/sudoers file directly, you should create an extension file in the /etc/sudoers.d directory. Any files in the /etc/sudoers.d directory will be automatically included and will extend the default configuration from /etc/sudoers.

Create a new file at /etc/sudoers.d/sudoers:

sudo nano /etc/sudoers.d/sudoers

Add the following lines to the file:

Defaults    mail_always
Defaults    mailto="<email_address>"

Close and save the file, then set permissions on the file:

sudo chmod 0440 /etc/sudoers.d/sudoers

You'll need to install a mailserver application if you have not already. sendmail is as good as any. Use the yum or apt package managers to install it.

Test the configuration by running some commands with sudo. Just listing the contents of the current directory should be enough to trigger the email alert.

sudo ls -lha

adduser

The adduser program provides a high-level API that wraps the various low-level user* commands. It is shipped with some Debian/Ubuntu distributions by default and is recommended for administration of user accounts on those distributions.

To add a user with adduser:

sudo adduser <username>

This single command:

  • creates a new user account;
  • creates a home directory for the user (/home/<username>) and copies default files from /etc/skel into it;
  • creates a group with the same name as the user and add the user to the group;
  • prompts for the user's password; and
  • prompts for additional information about the user including her full name.

To add a user to a custom group:

sudo adduser <username> <group_name>

Next steps

I recommend that you harden SSH access by disabling root access and requiring everyone to use private keys to login, in place of passwords.